Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 25, 2021, 12:07 p.m.	July 25, 2021, 12:11 p.m.

Size	420.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`377170928109b8cf902b223b247cab87`
SHA256	`2cc476342cd37570d78bd78d54801ae2387f21d4624b27dafac4f04e580f0dbe`
CRC32	`B6B98679`
ssdeep	`12288:+vCL+iuMvuJJxLJo2MxmsVbSmyor3SSpvItUmBdOApmg7yf:WCqUYxLJbSmEOKr3SSpwt`
Yara	Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature

asxcjhgfd.exe "C:\Users\test22\AppData\Local\Temp\asxcjhgfd.exe"
2052
- osxcjhgfd.exe "C:\Users\test22\AppData\Local\Temp\osxcjhgfd.exe"
  2492
  - osxcjhgfd.exe "{path}"
    3044
- asxcjhgfd.exe "{path}"
  2532

Name	Response	Post-Analysis Lookup
danielmi.ac.ug	A 185.215.113.77	185.215.113.77
danielmax.ac.ug	A 185.215.113.77	185.215.113.77

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.215.113.77	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.77:80 -> 192.168.56.102:49169	2400024	ET DROP Spamhaus DROP Listed Traffic Inbound group 25	Misc Attack
TCP 185.215.113.77:80 -> 192.168.56.102:49169	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.102:49162 -> 185.215.113.77:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 185.215.113.77:80 -> 192.168.56.102:49162	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.77:80 -> 192.168.56.102:49162	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.77:80 -> 192.168.56.102:49162	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 25, 2021, 12:07 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW July 25, 2021, 12:07 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 25, 2021, 12:07 p.m.			0	0
IsDebuggerPresent July 25, 2021, 12:07 p.m.			0	0
IsDebuggerPresent July 25, 2021, 12:07 p.m.			0	0
IsDebuggerPresent July 25, 2021, 12:07 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 25, 2021, 12:07 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (5 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.77/osxcjhgfd.exe
suspicious_features	POST method with no referer header	suspicious_request	POST http://danielmi.ac.ug/index.php
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://danielmax.ac.ug/softokn3.dll
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://danielmax.ac.ug/sqlite3.dll
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://danielmax.ac.ug/freebl3.dll

Performs some HTTP requests (5 events)

request	GET http://185.215.113.77/osxcjhgfd.exe
request	POST http://danielmi.ac.ug/index.php
request	POST http://danielmax.ac.ug/softokn3.dll
request	POST http://danielmax.ac.ug/sqlite3.dll
request	POST http://danielmax.ac.ug/freebl3.dll

Sends data using the HTTP POST Method (4 events)

request	POST http://danielmi.ac.ug/index.php
request	POST http://danielmax.ac.ug/softokn3.dll
request	POST http://danielmax.ac.ug/sqlite3.dll
request	POST http://danielmax.ac.ug/freebl3.dll

Allocates read-write-execute memory (usually to unpack itself) (50 out of 100 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00630000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a72000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01dd0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00512000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e61000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e63000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e64000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e65000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00545000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e66000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00537000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e67000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70832000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e6b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e6c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e6d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e6e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e6f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f93000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f94000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f95000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f96000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f97000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f98000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f99000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f9a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f9b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f9c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f9d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f9e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f9f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06470000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06471000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Temp\osxcjhgfd.exe
file	C:\ProgramData\sqlite3.dll
file	C:\ProgramData\softokn3.dll

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\osxcjhgfd.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\osxcjhgfd.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 25, 2021, 12:07 p.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process osxcjhgfd.exe (3 events)

Time & API	Arguments	Status	Return
InternetReadFile July 25, 2021, 12:08 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $¢l$æ JOæ JOæ JOïuÙOê JO?oKNä JO?oINä JO?oONì JO?oNNí JOÄmKNä JO-nKNå JOæ KO~ JO-nNNò JO-nJNç JO-nµOç JO-nHNç JORichæ JOPEL¿bë[à"!¶b¼ÐP ±@¨¸È0xÐ@`ÐþT(ÿ@Ðl.textË´¶ `.rdata DÐFº@@.data @À.rsrcx0@@.reloc`@@B request_handle: 0x00cc000c	1	1
InternetReadFile July 25, 2021, 12:08 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELê=Sv?à!ÐàXà` 8Ã °ÐL ü'ð¬Ñp.textÀÎÐ`0`.data°àÖ@@À.rdata$ð®æ@@@.bss @À.edata°@0@.idataL Ð®@0À.CRTàº@0À.tls ð¼@0À.relocü'(¾@0B/4`0æ@@B/19È@è@B/35MPì@B/51`C`Dô@B/63 °8@B/77ÀF@B/89ÐR request_handle: 0x00cc000c	1	1
InternetReadFile July 25, 2021, 12:08 p.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Àð/AVAVAVéÒVAV]ó@WAV1VAV]óBWAV]óDWAV]óEWAV¦ñ@WAVOò@WAV@VÖAVOòBWAVOòEWÀAVOòAWAVOò¾VAVOòCWAVRichAVPELØbë[à"!Øf)Ýðp£s@pæPÀæÈ@xüÐPà0âTâ@ð8.texttÖØ `.rdataüþðÜ@@.data,HðÜ@À.rsrcx@à@@.relocàPä@B request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00068600', u'virtual_address': u'0x00002000', u'entropy': 7.7962320341900835, u'name': u'.text', u'virtual_size': u'0x000684d4'}

entropy

7.79623203419

description

A section with a high entropy has been found

entropy

0.994047619048

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (2 events)

url	http://ip-api.com/json
url	https://dotbit.me/a/

Yara rule detected in process memory (24 events)

description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Win32 PWS Loki	rule	Win32_PWS_Loki_Zero
description	Run a KeyLogger	rule	KeyLogger
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2532 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004e8	1	0	0
NtAllocateVirtualMemory July 25, 2021, 12:08 p.m.	process_identifier: 3044 region_size: 212992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a8	1	0	0

Potential code injection by writing to the memory of another process (6 events)

Time & API	Arguments	Status	Return
WriteProcessMemory July 25, 2021, 12:07 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*à$¦°@@Ðà\CODE° `DATAl°@ÀBSSÅÀ¤À.idataÐ¤@À.reloc\à¬@PÄ@P base_address: 0x00400000 process_identifier: 2532 process_handle: 0x000004e8	1	1
WriteProcessMemory July 25, 2021, 12:07 p.m.	buffer: @2À@@@\@ì @l$@ËÌÈÉ×ÏÈÍÎÛØÚÙÊÜÝÞßàáãäå@ErrorÀRuntime error at 00000000À0123456789ABCDEFÿÿÿÿàO@ÀÀ@@J7<äºÏ¿}ªiFîµä[Jú-EÝ]³QçëqØ'ÓØ'ÓØ'ÖØ7nØ$ÓsØ$ÓsØ$nsØ7ÓsØ7ÖsØ$ÓØ7Ø7ÖØ7ÖsØ$ÓØ$nsØ$nsØ7Ø$ÓØ$nsØ$nsØ7ÖsØ$ÓsØÔØ'ØØsØXØ$ÓØ'ÖØqØ'ÖØáveÛe3ôs>v÷E±Yêá)VûAr5d2'òÂØMY pê5ù©ñÌ-þ+~R¶ÖæÐvMºoß3 v§·5vÅÞ¸`6©¤á þáx.¢Wï)b!ò²jíïz´Ì·\|X¸q/Õæ?dEzãîs£3Ãhp>4Æ7èËJ\|úðØèëá¾iAò¡úèÌ3áHþíG\rgã@À¥[\ë¸?áRÃénSÑÒ-´¼;ÐÍñ[MQ¶SEvr]`U¥Ýê(èúmü'~àÖ.ÚÅÂÅÃ3Â%G°j°Uî½S:Ì¦æä[½V¿vz½åÁL}¸<ÿ,9ÞýV_:Â9 ç½WùÙÔÛoSûËÛ`Qé6ñ¡àwËm¥Anm'o-°aÃÐµ1ä¨5[þ'Çè©Ð¦¿q¤ÞÆ +ºê$gÌ7¶G~Ø: ðDºÜÑk½´úÓæ`¸{ÈQÖÎ<Aæ>5²+X2`ÿ0e¢÷¼Aâ@PD%ÌÐÒ:¨»efk®Z¨ÃÌPÒÕcÕéN{»¨¤¦b«?O±óÝ0ZRÔèÌÚÃOË©¤×`TwR\ÀàÄËÃÐÃsS¦@O±j¹}¢ì Jg_ÍYÇò @'¸PÂZ°)zãp>cXgÇ¼\|½\ÏODná)ü7Lôû8a³Ô´:3ªÆôë¥øGgPnº1½·ÕÔ^)õ/2{Û¸<T¾i#©È7ný_Fû^înB!ôëäRÛc-dèmàÇ«>WÆÄNä¨«$há:_p$Öd^}QÏ kï8áeÏÌË%V¿âFNØ\ðøG;æ1Èy¤SÇ,°!#fñÄþ j®Þ Ø\|íälçÇ+ÆÚ EÅÅ$Ü¶Dë Í!kù,ú"dlQ(°ÇMIÎ,p#°)]ÕÙ9i-0àl&®ª!YÑoPÝ+¾9}\±¡©Ù.¿4#D.§×è¼R I±£ç 1ÔTû_v¿tÂmÿóJQ÷Ð\pk+Fæ_h:÷Ù æÄ £8 c+-û2_ö0ýcQò¸dtµ+ûÞ¸¦åð#t êqêR(PY» ïÀ(¢#ÓÏÆÌzÓ ¯N$ÇAÇAôÆApÇA¤ÆAÇA@ÇAhÇAlÆA,ÇA¼ÆAÇA°ÆAÆAÄÆA´°AÇAÇAÇA(ÈA\ÇAüÆA4ÇA\|ÆAÆAìÆA ÇA<ÇA¸°AèÆA¤ÇA°°AÀÆAÇA¸ÆAdÆA°ÇAðÆA ÇA´ÆA(ÇAÈÇAØ°A¼°AÆAÇAÇAÇAÆA ÆA8ÇA¬ÆAPÇA¬ÇAÆALÇAøÆAÌÆADÇA`ÇA¬°A ÈA¨ÇAÇAÇAÈÆAÆAÇAÆA0ÇAhÆAHÇA´ÇAdanielmi.ac.ug base_address: 0x0041b000 process_identifier: 2532 process_handle: 0x000004e8	1	1
WriteProcessMemory July 25, 2021, 12:07 p.m.	buffer: ,ÒÜÐ ÔHÑXÔXÑÔhÑàÔxÑÕÑ8ÕÑºÖðÑ*×Òp× Ò:ÒRÒjÒÒÒ¬Ò¼ÒÈÒÖÒæÒÓÓ$Ó:ÓPÓbÓtÓÓÓ®Ó¼ÓÊÓÖÓòÓþÓÔ,Ô>ÔLÔfÔzÔÔ¦Ô¶ÔÌÔîÔÕ Õ.ÕFÕRÕZÕfÕxÕÕÕ¦Õ¶ÕÆÕØÕìÕÖÖ.ÖBÖPÖ`ÖrÖ~ÖÖÖ®ÖÄÖÔÖäÖðÖ× ×6×B×V×^×z××kernel32.dllDeleteCriticalSectionLeaveCriticalSectionEnterCriticalSectionInitializeCriticalSectionVirtualFreeVirtualAllocLocalFreeLocalAllocGetTickCountQueryPerformanceCounterGetVersionGetCurrentThreadIdWideCharToMultiByteMultiByteToWideCharGetThreadLocaleGetStartupInfoAGetModuleFileNameAGetLocaleInfoAGetCommandLineAFreeLibraryExitProcessWriteFileUnhandledExceptionFilterRtlUnwindRaiseExceptionGetStdHandleuser32.dllGetKeyboardTypeMessageBoxACharNextAadvapi32.dllRegQueryValueExARegOpenKeyExARegCloseKeyoleaut32.dllSysFreeStringSysReAllocStringLenSysAllocStringLenkernel32.dllGetModuleHandleAadvapi32.dllRegOpenKeyExARegEnumKeyAFreeSidkernel32.dllWriteFileSleepLocalFreeLoadLibraryExWLoadLibraryAGlobalUnlockGlobalLockGetTickCountGetSystemInfoGetProcAddressGetModuleHandleAGetModuleFileNameAGetFileAttributesWGetCurrentProcessIdGetCurrentProcessFreeLibraryFindNextFileWFindFirstFileWFindCloseExitProcessDeleteFileWCreateDirectoryWCopyFileWgdi32.dllSelectObjectDeleteObjectDeleteDCCreateCompatibleDCCreateCompatibleBitmapBitBltuser32.dllReleaseDCGetSystemMetricsGetDCCharToOemBuffAole32.dllOleInitializeCoCreateInstance base_address: 0x0041d000 process_identifier: 2532 process_handle: 0x000004e8	1	1
WriteProcessMemory July 25, 2021, 12:07 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2532 process_handle: 0x000004e8	1	1
WriteProcessMemory July 25, 2021, 12:08 p.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $8±K¿\|Ð%ì\|Ð%ì\|Ð%ìï½ì}Ð%ì¦»ìdÐ%ì¦ìùÐ%ì¦ìOÐ%ìu¨¦ì~Ð%ìu¨¶ì{Ð%ì\|Ð$ìÐ%ì¦ìvÐ%ì¦¸ì}Ð%ìRich\|Ð%ìPELÎ^à 0âz@@@D¨Pôh@@.text.0 `.rdatalq@r4@@.data¨CÀ¦@À.reloc0+,¸@B base_address: 0x00400000 process_identifier: 3044 process_handle: 0x000002a8	1	1
WriteProcessMemory July 25, 2021, 12:08 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3044 process_handle: 0x000002a8	1	1

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 25, 2021, 12:07 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*à$¦°@@Ðà\CODE° `DATAl°@ÀBSSÅÀ¤À.idataÐ¤@À.reloc\à¬@PÄ@P base_address: 0x00400000 process_identifier: 2532 process_handle: 0x000004e8	1	1	0
WriteProcessMemory July 25, 2021, 12:08 p.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $8±K¿\|Ð%ì\|Ð%ì\|Ð%ìï½ì}Ð%ì¦»ìdÐ%ì¦ìùÐ%ì¦ìOÐ%ìu¨¦ì~Ð%ìu¨¶ì{Ð%ì\|Ð$ìÐ%ì¦ìvÐ%ì¦¸ì}Ð%ìRich\|Ð%ìPELÎ^à 0âz@@@D¨Pôh@@.text.0 `.rdatalq@r4@@.data¨CÀ¦@À.reloc0+,¸@B base_address: 0x00400000 process_identifier: 3044 process_handle: 0x000002a8	1	1	0

Network activity contains more than one unique useragent (2 events)

process	asxcjhgfd.exe				useragent	Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
process	osxcjhgfd.exe				useragent

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2052 called NtSetContextThread to modify thread in remote process 2532
Process injection	Process 2492 called NtSetContextThread to modify thread in remote process 3044
NtSetContextThread July 25, 2021, 12:07 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4302468 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000004f4 process_identifier: 2532	1	0	0
NtSetContextThread July 25, 2021, 12:08 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4291211 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002a4 process_identifier: 3044	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2052 resumed a thread in remote process 2532
Process injection	Process 2492 resumed a thread in remote process 3044
NtResumeThread July 25, 2021, 12:07 p.m.	thread_handle: 0x000004f4 suspend_count: 1 process_identifier: 2532	1	0	0
NtResumeThread July 25, 2021, 12:08 p.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 3044	1	0	0

Generates some ICMP traffic

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.MSILHeracles.22215
FireEye	Generic.mg.377170928109b8cf
Cybereason	malicious.573522
Cyren	W32/MSIL_Kryptik.EXP.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/GenKryptik.FHVD
APEX	Malicious
Kaspersky	HEUR:Trojan.MSIL.Taskun.gen
BitDefender	Gen:Variant.MSILHeracles.22215
Avast	Win32:PWSX-gen [Trj]
Sophos	ML/PE-A
McAfee-GW-Edition	BehavesLike.Win32.Fareit.gc
SentinelOne	Static AI - Malicious PE
GData	Gen:Variant.MSILHeracles.22215
Avira	HEUR/AGEN.1135727
MAX	malware (ai score=88)
Microsoft	Trojan:Win32/Wacatac.B!ml
Cynet	Malicious (score: 100)
McAfee	Artemis!377170928109
Malwarebytes	Trojan.MalPack.FVTN
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/GenKryptik.FHTI!tr
BitDefenderTheta	Gen:NN.ZemsilF.34050.Am0@amvHGQc
AVG	Win32:PWSX-gen [Trj]
CrowdStrike	win/malicious_confidence_90% (W)
Qihoo-360	HEUR/QVM03.0.C6CA.Malware.Gen

Executed a process and injected code into it, probably while unpacking (44 events)

Time & API	Arguments	Status	Return
NtResumeThread July 25, 2021, 12:07 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2052	1	0
NtResumeThread July 25, 2021, 12:07 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2052	1	0
NtResumeThread July 25, 2021, 12:07 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2052	1	0
NtResumeThread July 25, 2021, 12:07 p.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 2052	1	0
NtGetContextThread July 25, 2021, 12:07 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread July 25, 2021, 12:07 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread July 25, 2021, 12:07 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2052	1	0
NtGetContextThread July 25, 2021, 12:07 p.m.	thread_handle: 0x00000150	1	0
NtGetContextThread July 25, 2021, 12:07 p.m.	thread_handle: 0x00000150	1	0
NtResumeThread July 25, 2021, 12:07 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2052	1	0
NtResumeThread July 25, 2021, 12:07 p.m.	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 2052	1	0
NtResumeThread July 25, 2021, 12:07 p.m.	thread_handle: 0x000003dc suspend_count: 1 process_identifier: 2052	1	0
CreateProcessInternalW July 25, 2021, 12:07 p.m.	thread_identifier: 2496 thread_handle: 0x00000588 process_identifier: 2492 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\osxcjhgfd.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\osxcjhgfd.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\osxcjhgfd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000590	1	1
CreateProcessInternalW July 25, 2021, 12:07 p.m.	thread_identifier: 2536 thread_handle: 0x000004f4 process_identifier: 2532 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\asxcjhgfd.exe track: 1 command_line: "{path}" filepath_r: C:\Users\test22\AppData\Local\Temp\asxcjhgfd.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000004e8	1	1
NtGetContextThread July 25, 2021, 12:07 p.m.	thread_handle: 0x000004f4	1	0
NtAllocateVirtualMemory July 25, 2021, 12:07 p.m.	process_identifier: 2532 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004e8	1	0
WriteProcessMemory July 25, 2021, 12:07 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*à$¦°@@Ðà\CODE° `DATAl°@ÀBSSÅÀ¤À.idataÐ¤@À.reloc\à¬@PÄ@P base_address: 0x00400000 process_identifier: 2532 process_handle: 0x000004e8	1	1
WriteProcessMemory July 25, 2021, 12:07 p.m.	buffer: base_address: 0x00401000 process_identifier: 2532 process_handle: 0x000004e8	1	1
WriteProcessMemory July 25, 2021, 12:07 p.m.	buffer: @2À@@@\@ì @l$@ËÌÈÉ×ÏÈÍÎÛØÚÙÊÜÝÞßàáãäå@ErrorÀRuntime error at 00000000À0123456789ABCDEFÿÿÿÿàO@ÀÀ@@J7<äºÏ¿}ªiFîµä[Jú-EÝ]³QçëqØ'ÓØ'ÓØ'ÖØ7nØ$ÓsØ$ÓsØ$nsØ7ÓsØ7ÖsØ$ÓØ7Ø7ÖØ7ÖsØ$ÓØ$nsØ$nsØ7Ø$ÓØ$nsØ$nsØ7ÖsØ$ÓsØÔØ'ØØsØXØ$ÓØ'ÖØqØ'ÖØáveÛe3ôs>v÷E±Yêá)VûAr5d2'òÂØMY pê5ù©ñÌ-þ+~R¶ÖæÐvMºoß3 v§·5vÅÞ¸`6©¤á þáx.¢Wï)b!ò²jíïz´Ì·\|X¸q/Õæ?dEzãîs£3Ãhp>4Æ7èËJ\|úðØèëá¾iAò¡úèÌ3áHþíG\rgã@À¥[\ë¸?áRÃénSÑÒ-´¼;ÐÍñ[MQ¶SEvr]`U¥Ýê(èúmü'~àÖ.ÚÅÂÅÃ3Â%G°j°Uî½S:Ì¦æä[½V¿vz½åÁL}¸<ÿ,9ÞýV_:Â9 ç½WùÙÔÛoSûËÛ`Qé6ñ¡àwËm¥Anm'o-°aÃÐµ1ä¨5[þ'Çè©Ð¦¿q¤ÞÆ +ºê$gÌ7¶G~Ø: ðDºÜÑk½´úÓæ`¸{ÈQÖÎ<Aæ>5²+X2`ÿ0e¢÷¼Aâ@PD%ÌÐÒ:¨»efk®Z¨ÃÌPÒÕcÕéN{»¨¤¦b«?O±óÝ0ZRÔèÌÚÃOË©¤×`TwR\ÀàÄËÃÐÃsS¦@O±j¹}¢ì Jg_ÍYÇò @'¸PÂZ°)zãp>cXgÇ¼\|½\ÏODná)ü7Lôû8a³Ô´:3ªÆôë¥øGgPnº1½·ÕÔ^)õ/2{Û¸<T¾i#©È7ný_Fû^înB!ôëäRÛc-dèmàÇ«>WÆÄNä¨«$há:_p$Öd^}QÏ kï8áeÏÌË%V¿âFNØ\ðøG;æ1Èy¤SÇ,°!#fñÄþ j®Þ Ø\|íälçÇ+ÆÚ EÅÅ$Ü¶Dë Í!kù,ú"dlQ(°ÇMIÎ,p#°)]ÕÙ9i-0àl&®ª!YÑoPÝ+¾9}\±¡©Ù.¿4#D.§×è¼R I±£ç 1ÔTû_v¿tÂmÿóJQ÷Ð\pk+Fæ_h:÷Ù æÄ £8 c+-û2_ö0ýcQò¸dtµ+ûÞ¸¦åð#t êqêR(PY» ïÀ(¢#ÓÏÆÌzÓ ¯N$ÇAÇAôÆApÇA¤ÆAÇA@ÇAhÇAlÆA,ÇA¼ÆAÇA°ÆAÆAÄÆA´°AÇAÇAÇA(ÈA\ÇAüÆA4ÇA\|ÆAÆAìÆA ÇA<ÇA¸°AèÆA¤ÇA°°AÀÆAÇA¸ÆAdÆA°ÇAðÆA ÇA´ÆA(ÇAÈÇAØ°A¼°AÆAÇAÇAÇAÆA ÆA8ÇA¬ÆAPÇA¬ÇAÆALÇAøÆAÌÆADÇA`ÇA¬°A ÈA¨ÇAÇAÇAÈÆAÆAÇAÆA0ÇAhÆAHÇA´ÇAdanielmi.ac.ug base_address: 0x0041b000 process_identifier: 2532 process_handle: 0x000004e8	1	1
WriteProcessMemory July 25, 2021, 12:07 p.m.	buffer: ,ÒÜÐ ÔHÑXÔXÑÔhÑàÔxÑÕÑ8ÕÑºÖðÑ*×Òp× Ò:ÒRÒjÒÒÒ¬Ò¼ÒÈÒÖÒæÒÓÓ$Ó:ÓPÓbÓtÓÓÓ®Ó¼ÓÊÓÖÓòÓþÓÔ,Ô>ÔLÔfÔzÔÔ¦Ô¶ÔÌÔîÔÕ Õ.ÕFÕRÕZÕfÕxÕÕÕ¦Õ¶ÕÆÕØÕìÕÖÖ.ÖBÖPÖ`ÖrÖ~ÖÖÖ®ÖÄÖÔÖäÖðÖ× ×6×B×V×^×z××kernel32.dllDeleteCriticalSectionLeaveCriticalSectionEnterCriticalSectionInitializeCriticalSectionVirtualFreeVirtualAllocLocalFreeLocalAllocGetTickCountQueryPerformanceCounterGetVersionGetCurrentThreadIdWideCharToMultiByteMultiByteToWideCharGetThreadLocaleGetStartupInfoAGetModuleFileNameAGetLocaleInfoAGetCommandLineAFreeLibraryExitProcessWriteFileUnhandledExceptionFilterRtlUnwindRaiseExceptionGetStdHandleuser32.dllGetKeyboardTypeMessageBoxACharNextAadvapi32.dllRegQueryValueExARegOpenKeyExARegCloseKeyoleaut32.dllSysFreeStringSysReAllocStringLenSysAllocStringLenkernel32.dllGetModuleHandleAadvapi32.dllRegOpenKeyExARegEnumKeyAFreeSidkernel32.dllWriteFileSleepLocalFreeLoadLibraryExWLoadLibraryAGlobalUnlockGlobalLockGetTickCountGetSystemInfoGetProcAddressGetModuleHandleAGetModuleFileNameAGetFileAttributesWGetCurrentProcessIdGetCurrentProcessFreeLibraryFindNextFileWFindFirstFileWFindCloseExitProcessDeleteFileWCreateDirectoryWCopyFileWgdi32.dllSelectObjectDeleteObjectDeleteDCCreateCompatibleDCCreateCompatibleBitmapBitBltuser32.dllReleaseDCGetSystemMetricsGetDCCharToOemBuffAole32.dllOleInitializeCoCreateInstance base_address: 0x0041d000 process_identifier: 2532 process_handle: 0x000004e8	1	1
WriteProcessMemory July 25, 2021, 12:07 p.m.	buffer: base_address: 0x0041e000 process_identifier: 2532 process_handle: 0x000004e8	1	1
WriteProcessMemory July 25, 2021, 12:07 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2532 process_handle: 0x000004e8	1	1
NtSetContextThread July 25, 2021, 12:07 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4302468 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000004f4 process_identifier: 2532	1	0
NtResumeThread July 25, 2021, 12:07 p.m.	thread_handle: 0x000004f4 suspend_count: 1 process_identifier: 2532	1	0
NtResumeThread July 25, 2021, 12:07 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2492	1	0
NtResumeThread July 25, 2021, 12:07 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2492	1	0
NtResumeThread July 25, 2021, 12:07 p.m.	thread_handle: 0x000001bc suspend_count: 1 process_identifier: 2492	1	0
NtResumeThread July 25, 2021, 12:07 p.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 2492	1	0
NtGetContextThread July 25, 2021, 12:07 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread July 25, 2021, 12:07 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread July 25, 2021, 12:07 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2492	1	0
NtResumeThread July 25, 2021, 12:08 p.m.	thread_handle: 0x0000029c suspend_count: 1 process_identifier: 2492	1	0
CreateProcessInternalW July 25, 2021, 12:08 p.m.	thread_identifier: 3048 thread_handle: 0x000002a4 process_identifier: 3044 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\osxcjhgfd.exe track: 1 command_line: "{path}" filepath_r: C:\Users\test22\AppData\Local\Temp\osxcjhgfd.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002a8	1	1
NtGetContextThread July 25, 2021, 12:08 p.m.	thread_handle: 0x000002a4	1	0
NtAllocateVirtualMemory July 25, 2021, 12:08 p.m.	process_identifier: 3044 region_size: 212992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a8	1	0
WriteProcessMemory July 25, 2021, 12:08 p.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $8±K¿\|Ð%ì\|Ð%ì\|Ð%ìï½ì}Ð%ì¦»ìdÐ%ì¦ìùÐ%ì¦ìOÐ%ìu¨¦ì~Ð%ìu¨¶ì{Ð%ì\|Ð$ìÐ%ì¦ìvÐ%ì¦¸ì}Ð%ìRich\|Ð%ìPELÎ^à 0âz@@@D¨Pôh@@.text.0 `.rdatalq@r4@@.data¨CÀ¦@À.reloc0+,¸@B base_address: 0x00400000 process_identifier: 3044 process_handle: 0x000002a8	1	1
WriteProcessMemory July 25, 2021, 12:08 p.m.	buffer: base_address: 0x00401000 process_identifier: 3044 process_handle: 0x000002a8	1	1
WriteProcessMemory July 25, 2021, 12:08 p.m.	buffer: base_address: 0x00424000 process_identifier: 3044 process_handle: 0x000002a8	1	1
WriteProcessMemory July 25, 2021, 12:08 p.m.	buffer: base_address: 0x0042c000 process_identifier: 3044 process_handle: 0x000002a8	1	1
WriteProcessMemory July 25, 2021, 12:08 p.m.	buffer: base_address: 0x00431000 process_identifier: 3044 process_handle: 0x000002a8	1	1
WriteProcessMemory July 25, 2021, 12:08 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3044 process_handle: 0x000002a8	1	1
NtSetContextThread July 25, 2021, 12:08 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4291211 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002a4 process_identifier: 3044	1	0
NtResumeThread July 25, 2021, 12:08 p.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 3044	1	0
NtResumeThread July 25, 2021, 12:07 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2532	1	0

asxcjhgfd.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All