Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 22, 2021, 10:53 a.m.	July 22, 2021, 11:11 a.m.

Size	113.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`60bb544289cfeb878cf212268ad90d9b`
SHA256	`88172a45ab45c79f77b1a560dea8fcbb0ca7db792ca3d77e513e190dffc2a7f0`
CRC32	`FF010890`
ssdeep	`1536:h0jP7/L1B5rVmN8sxHv2M28ix8EUaJxWZoB4u0OVE01:K1VmhaH8EFvW+0OVE0`
Yara	IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer OS_Processor_Check_Zero - OS Processor Check Ave_Maria_Zero - Remote Access Trojan that is also called WARZONE RAT UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature

main.exe "C:\Users\test22\AppData\Local\Temp\main.exe"
2444
- svcew.exe "C:\ProgramData\svcew.exe"
  1512
  - cmd.exe "C:\Windows\System32\cmd.exe"
    2408
  - powershell.exe powershell Add-MpPreference -ExclusionPath C:\
    2324
- powershell.exe powershell Add-MpPreference -ExclusionPath C:\
  2256
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
trenchesrelax.duckdns.org	A 23.101.140.170	23.101.140.170

IP Address	Status	Action
158.101.44.242	Active	Moloch
164.124.101.2	Active	Moloch
23.101.140.170	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:61479 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (16 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 22, 2021, 10:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 22, 2021, 10:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 22, 2021, 10:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 22, 2021, 10:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 22, 2021, 10:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 22, 2021, 10:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 22, 2021, 10:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 22, 2021, 10:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 22, 2021, 10:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 22, 2021, 10:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 22, 2021, 10:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 22, 2021, 10:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 22, 2021, 10:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 22, 2021, 10:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 22, 2021, 10:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 22, 2021, 10:54 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 22, 2021, 10:54 a.m.			0	0
IsDebuggerPresent July 22, 2021, 10:54 a.m.			0	0

Command line console output was observed (19 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 22, 2021, 10:54 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW July 22, 2021, 10:54 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW July 22, 2021, 10:54 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW July 22, 2021, 10:54 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW July 22, 2021, 10:54 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\ console_handle: 0x00000053	1	1
WriteConsoleW July 22, 2021, 10:54 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW July 22, 2021, 10:54 a.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW July 22, 2021, 10:54 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW July 22, 2021, 10:54 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW July 22, 2021, 10:54 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW July 22, 2021, 10:54 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW July 22, 2021, 10:54 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW July 22, 2021, 10:54 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\ console_handle: 0x00000053	1	1
WriteConsoleW July 22, 2021, 10:54 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW July 22, 2021, 10:54 a.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW July 22, 2021, 10:54 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW July 22, 2021, 10:54 a.m.	buffer: Microsoft Windows [Version 6.1.7601] console_handle: 0x00000007	1	1
WriteConsoleW July 22, 2021, 10:54 a.m.	buffer: Copyright (c) 2009 Microsoft Corporation. All rights reserved. console_handle: 0x00000007	1	1
WriteConsoleW July 22, 2021, 10:54 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 92 events)

Time & API	Arguments	Status	Return
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006075c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607cc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00608148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00608148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00608148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00608148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00608148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00608148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00608148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00608148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00608148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00608148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00608148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00608148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00608148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00608148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00608088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00608088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00608088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00608088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00608088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00608088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00608088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00608088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d7850 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d7f50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d7f50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2021, 10:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d7f50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 22, 2021, 10:53 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

WM_DSP

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (1 event)

domain

trenchesrelax.duckdns.org

Allocates read-write-execute memory (usually to unpack itself) (50 out of 279 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02680000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72111000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72112000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0263a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0268b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02687000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02632000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02685000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0263c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02960000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0268c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02633000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02634000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02635000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02636000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02637000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02638000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02639000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b03000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b04000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b05000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b06000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b07000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b08000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b09000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b0a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b0b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b0c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b0d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b0e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b0f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b13000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b14000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (3 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW July 22, 2021, 10:55 a.m.	total_number_of_free_bytes: 13726457856 free_bytes_available: 13726457856 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW July 22, 2021, 10:54 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW July 22, 2021, 10:54 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1

Steals private information from local Internet browsers (3 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data

Foreign language identified in PE resource (1 event)

name

WM_DSP

language

LANG_ENGLISH

filetype

PE32 executable (GUI) Intel 80386, for MS Windows

sublanguage

SUBLANG_ARABIC_QATAR

offset

0x0014f070

size

0x00002c00

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	powershell Add-MpPreference -ExclusionPath C:\
cmdline	C:\Windows\System32\cmd.exe

Executes one or more WMI queries (1 event)

wmi

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW July 22, 2021, 10:54 a.m.	thread_identifier: 2840 thread_handle: 0x000001e4 process_identifier: 2408 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001dc	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 22, 2021, 10:54 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW July 22, 2021, 10:54 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

158.101.44.242

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001e8	1	0	0
NtProtectVirtualMemory July 22, 2021, 10:54 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 process_handle: 0x000001e8	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 22, 2021, 10:54 a.m.	buffer: UìUEÈÒt ÆAêu÷]ÃUìd¡0ì@SVWxé§G03ö_,?EøB<}ôDxEðÀÁë3ÉÛt-}ø¾ÁÎ <aUø\| ÂÀàðëuøA;ËrßUü}ôEðL3ÛD ÂMìÉt<3ÿÊÀMøÑEè ÁÏ ¾ÁøBÉuñUü}øEø}ôÆ;Et EèC;]ìrÄWUüÒKÿÿÿ3À_^[ÉÂuðD$X·DÂëÝUìì¼ESVWXhLw&M ]¸èèþÿÿðÇEÄkern3ÀÇEÈel32EÐEÞEÄPÇEÌ.dllÇEàntdlÇEäl.dlfÇEèlÇEÔuserÇEØ32.dfÇEÜllfÇEø1fÇEü2ÿÖEàPÿÖEÔPÿÖhX¤SåèyþÿÿhyÌ?EèlþÿÿhEVEôè_þÿÿhDð5àEÀèRþÿÿhî¶PE¤èEþÿÿhÆREè8þÿÿh_xTîEðè+þÿÿhÚöÚOEèþÿÿøhÆp}´èþÿÿh_»ðèþÿÿh-W®[E¼èöýÿÿE¬3ÀPhjPPhSE¨ÿ×jEìPÿÖ]ø}°jh0WjÿÓðötîjE¨PW}ìVWÿU¼WÿUð>M]¸tjEøPPjÿUÀÆEhà.ÿU¤3À}«jDj«««DÿÿÿPèTýÿÿÄÿu jhÿÿÿUE¼ÀuOEPDÿÿÿP3ÀPPPPPPPSÿUôÀ¯PPjPPh@SE¸ÿU´øjÿÿtE¸ë^EüPPjÿUÀéeìMìQPÿU}ìtoEPDÿÿÿP3ÀPPPPPPPSÿUôÀuOPPjPPh@SEÿU´øjÿÿt*EPÿu°VWÿU¬WÿUðEPDÿÿÿP3ÀPPPPPPPSÿUôë EüPPjÿUÀÆEÿu¼ÿUð}åþÿÿ_^[ÉÃ,m×dBÌ base_address: 0x00520000 process_identifier: 2408 process_handle: 0x000001e8	1	1	0
WriteProcessMemory July 22, 2021, 10:54 a.m.	buffer: èC:\ProgramData\svcew.exeìôèyèõõP,¨v\|,¨v°Q;öÑ$igÿÿÿÿÿ,õöýà^ªvÌÜ¤Mþÿÿÿ\|,¨v 5¨vè base_address: 0x00530000 process_identifier: 2408 process_handle: 0x000001e8	1	1	0

Harvests credentials from local email clients (3 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\ProgramData\svcew.exe:Zone.Identifier

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

192.168.56.101:49206

main.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All