Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 5, 2021, 5:38 p.m.	Aug. 5, 2021, 5:40 p.m.

Size	594.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`6a1e010d4b1a7f82ebf0dd330155fe77`
SHA256	`ded1412f9509d9fbc0c48687c3611d6cd8356ff0f00a9a2c5836890a5df03925`
CRC32	`FABDD188`
ssdeep	`12288:byTwAFw8YWw+oIPFJnUUvNu9wGl87Dl3hUCwHpyZcmfvdEi/oGjYF7XyQLV8:ewAi6foIdJnUUvkwwkl3AHYZ3ndEco/5`
Yara	UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

edi.exe "C:\Users\test22\AppData\Local\Temp\edi.exe"
2216
- wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\_Bbmzsbjgqtrphzjybyx.vbs"
  812
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\outlook.exe'
    1032
- edi.exe C:\Users\test22\AppData\Local\Temp\edi.exe
  2316
  - svchost.exe C:\Windows\SysWOW64\svchost.exe
    540
    - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
      2908
      - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2908 CREDAT:145409
        1744
      - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2908 CREDAT:79875
        2088
  - svchost.exe C:\Windows\SysWOW64\svchost.exe
    2572
  - svchost.exe C:\Windows\SysWOW64\svchost.exe
    2764
  - edi.exe C:\Users\test22\AppData\Local\Temp\edi.exe /stext "C:\Users\test22\AppData\Local\Temp\ozdweyveusxkjlmjfnuehefwbqbf"
    2564
  - edi.exe C:\Users\test22\AppData\Local\Temp\edi.exe /stext "C:\Users\test22\AppData\Local\Temp\yuqpfrfyqapplranoypfsranjelgirf"
    2180
  - edi.exe C:\Users\test22\AppData\Local\Temp\edi.exe /stext "C:\Users\test22\AppData\Local\Temp\jwvh"
    3036

Name	Response	Post-Analysis Lookup
docs.microsoft.com	A 23.197.164.62 CNAME docs.microsoft.com-c.edgekey.net.globalredir.akadns.net CNAME e13630.dscb.akamaiedge.net CNAME docs.microsoft.com-c.edgekey.net A 184.25.26.74	104.74.216.251
eter101.dvrlists.com	A 79.134.225.84	79.134.225.84

IP Address	Status	Action
104.74.214.213	Active	Moloch
164.124.101.2	Active	Moloch
184.25.26.74	Active	Moloch
23.197.164.62	Active	Moloch
79.134.225.84	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49216 -> 184.25.26.74:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49218 -> 184.25.26.74:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49217 -> 184.25.26.74:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49221 -> 184.25.26.74:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49219 -> 184.25.26.74:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 184.25.26.74:443 -> 192.168.56.101:49220	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49242 -> 23.197.164.62:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49243 -> 23.197.164.62:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49264 -> 184.25.26.74:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49244 -> 23.197.164.62:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49247 -> 23.197.164.62:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 23.197.164.62:443 -> 192.168.56.101:49246	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49263 -> 184.25.26.74:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49245 -> 23.197.164.62:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49261 -> 184.25.26.74:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49262 -> 184.25.26.74:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49267 -> 184.25.26.74:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 184.25.26.74:443 -> 192.168.56.101:49265	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 104.74.214.213:80 -> 192.168.56.101:49260	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.101:49232 79.134.225.84:2050	None	None	None
TLS 1.3 192.168.56.101:49233 79.134.225.84:2050	None	None	None
TLS 1.3 192.168.56.101:49234 79.134.225.84:2050	None	None	None

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 5, 2021, 5:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 5, 2021, 5:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 5, 2021, 5:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 5, 2021, 5:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 5, 2021, 5:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 5, 2021, 5:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 5, 2021, 5:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 5, 2021, 5:39 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 5, 2021, 5:38 p.m.			0	0
IsDebuggerPresent Aug. 5, 2021, 5:38 p.m.			0	0
IsDebuggerPresent Aug. 5, 2021, 5:39 p.m.			0	0
IsDebuggerPresent Aug. 5, 2021, 5:39 p.m.			0	0

Command line console output was observed (9 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 5, 2021, 5:39 p.m.	buffer: The term 'Set-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Aug. 5, 2021, 5:39 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 5, 2021, 5:39 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 5, 2021, 5:39 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Aug. 5, 2021, 5:39 p.m.	buffer: + Set-MpPreference <<<< -ExclusionPath C:\,'C:\Users\test22\AppData\Roaming\Mi console_handle: 0x00000053	1	1
WriteConsoleW Aug. 5, 2021, 5:39 p.m.	buffer: crosoft\Windows\Start Menu\Programs\outlook.exe' console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 5, 2021, 5:39 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Set-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW Aug. 5, 2021, 5:39 p.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Aug. 5, 2021, 5:39 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510298 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510dd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510dd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510dd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510dd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510dd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510dd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510ad8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510f58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510f58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510f58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510f58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510f58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510f58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510f58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510f58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510f58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510f58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510f58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510f58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510f58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510f58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 5:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00510e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Mozilla Firefox\nss3.dll

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 5, 2021, 5:38 p.m.		1	1	0

One or more processes crashed (5 events)

Time & API	Arguments	Status
__exception__ Aug. 5, 2021, 5:39 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x216b5a5 0x216b51a 0x2168d7c 0x2168433 0x216023c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x3135ed @ 0x6ff535ed 0x6b1afd 0x6b0820 0x6b03fa system+0x1f9799 @ 0x6e899799 system+0x1f92c8 @ 0x6e8992c8 system+0x1eca74 @ 0x6e88ca74 system+0x1ec868 @ 0x6e88c868 system+0x1f82b8 @ 0x6e8982b8 system+0x1ee54d @ 0x6e88e54d system+0x1f70ea @ 0x6e8970ea system+0x1e56c0 @ 0x6e8856c0 system+0x1f8215 @ 0x6e898215 system+0x1f6f75 @ 0x6e896f75 system+0x1ee251 @ 0x6e88e251 system+0x1ee229 @ 0x6e88e229 system+0x1ee170 @ 0x6e88e170 0x52a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6e88bc85 system+0x1f683b @ 0x6e89683b system+0x1a5e44 @ 0x6e845e44 system+0x1fd8a0 @ 0x6e89d8a0 system+0x1fd792 @ 0x6e89d792 system+0x1a14bd @ 0x6e8414bd 0x6b00e3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 3269328 registers.edi: 1990713288 registers.eax: 16777216 registers.ebp: 3269532 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Aug. 5, 2021, 5:39 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x216b5a5 0x216b51a 0x2168d7c 0x2168433 0x216023c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x3135ed @ 0x6ff535ed 0x6b1afd 0x6b0820 0x6b03fa system+0x1f9799 @ 0x6e899799 system+0x1f92c8 @ 0x6e8992c8 system+0x1eca74 @ 0x6e88ca74 system+0x1ec868 @ 0x6e88c868 system+0x1f82b8 @ 0x6e8982b8 system+0x1ee54d @ 0x6e88e54d system+0x1f70ea @ 0x6e8970ea system+0x1e56c0 @ 0x6e8856c0 system+0x1f8215 @ 0x6e898215 system+0x1f6f75 @ 0x6e896f75 system+0x1ee251 @ 0x6e88e251 system+0x1ee229 @ 0x6e88e229 system+0x1ee170 @ 0x6e88e170 0x52a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6e88bc85 system+0x1f683b @ 0x6e89683b system+0x1a5e44 @ 0x6e845e44 system+0x1fd8a0 @ 0x6e89d8a0 system+0x1fd792 @ 0x6e89d792 system+0x1a14bd @ 0x6e8414bd 0x6b00e3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 3269328 registers.edi: 1990713288 registers.eax: 4194304 registers.ebp: 3269532 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Aug. 5, 2021, 5:39 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x216b5a5 0x216b51a 0x2168d7c 0x2168433 0x216023c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x3135ed @ 0x6ff535ed 0x6b1afd 0x6b0820 0x6b03fa system+0x1f9799 @ 0x6e899799 system+0x1f92c8 @ 0x6e8992c8 system+0x1eca74 @ 0x6e88ca74 system+0x1ec868 @ 0x6e88c868 system+0x1f82b8 @ 0x6e8982b8 system+0x1ee54d @ 0x6e88e54d system+0x1f70ea @ 0x6e8970ea system+0x1e56c0 @ 0x6e8856c0 system+0x1f8215 @ 0x6e898215 system+0x1f6f75 @ 0x6e896f75 system+0x1ee251 @ 0x6e88e251 system+0x1ee229 @ 0x6e88e229 system+0x1ee170 @ 0x6e88e170 0x52a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6e88bc85 system+0x1f683b @ 0x6e89683b system+0x1a5e44 @ 0x6e845e44 system+0x1fd8a0 @ 0x6e89d8a0 system+0x1fd792 @ 0x6e89d792 system+0x1a14bd @ 0x6e8414bd 0x6b00e3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 3269328 registers.edi: 1990713288 registers.eax: 12910592 registers.ebp: 3269532 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Aug. 5, 2021, 5:39 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x216b5a5 0x216b51a 0x2168d7c 0x2168433 0x216023c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x3135ed @ 0x6ff535ed 0x6b1afd 0x6b0820 0x6b03fa system+0x1f9799 @ 0x6e899799 system+0x1f92c8 @ 0x6e8992c8 system+0x1eca74 @ 0x6e88ca74 system+0x1ec868 @ 0x6e88c868 system+0x1f82b8 @ 0x6e8982b8 system+0x1ee54d @ 0x6e88e54d system+0x1f70ea @ 0x6e8970ea system+0x1e56c0 @ 0x6e8856c0 system+0x1f8215 @ 0x6e898215 system+0x1f6f75 @ 0x6e896f75 system+0x1ee251 @ 0x6e88e251 system+0x1ee229 @ 0x6e88e229 system+0x1ee170 @ 0x6e88e170 0x52a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6e88bc85 system+0x1f683b @ 0x6e89683b system+0x1a5e44 @ 0x6e845e44 system+0x1fd8a0 @ 0x6e89d8a0 system+0x1fd792 @ 0x6e89d792 system+0x1a14bd @ 0x6e8414bd 0x6b00e3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 3269328 registers.edi: 1990713288 registers.eax: 14548992 registers.ebp: 3269532 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Aug. 5, 2021, 5:39 p.m.	stacktrace: GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755b788a SHGetDataFromIDListW+0x314 SHGetFolderPathAndSubDirW-0x2832 shell32+0x328ef @ 0x758628ef ShellExecuteExW+0x5e1 SHGetNameFromIDList-0x8629 shell32+0x22427 @ 0x75852427 SHGetMalloc+0x17e0 ShellExecuteExW-0x64 shell32+0x21de2 @ 0x75851de2 ShellExecuteExW+0xb4 SHGetNameFromIDList-0x8b56 shell32+0x21efa @ 0x75851efa ShellExecuteExW+0x42 SHGetNameFromIDList-0x8bc8 shell32+0x21e88 @ 0x75851e88 New_shell32_ShellExecuteExW@4+0x1fa New_srvcli_NetShareEnum@28-0x8f @ 0x73cc5f28 ShellExecuteW+0x77 PathResolve-0x6af shell32+0x13ce8 @ 0x75843ce8 LockClrVersion+0x14ac CorBindToRuntimeByPath-0x1c83 mscoreei+0x1c2ae @ 0x6e80c2ae LockClrVersion+0x685 CorBindToRuntimeByPath-0x2aaa mscoreei+0x1b487 @ 0x6e80b487 LockClrVersion+0x2b5a CorBindToRuntimeByPath-0x5d5 mscoreei+0x1d95c @ 0x6e80d95c ND_WU1+0xc2f _CorExeMain-0x5ac mscoreei+0xef86 @ 0x6e7fef86 ND_WU1+0xded _CorExeMain-0x3ee mscoreei+0xf144 @ 0x6e7ff144 ND_WU1+0x109c _CorExeMain-0x13f mscoreei+0xf3f3 @ 0x6e7ff3f3 ND_WU1+0x1166 _CorExeMain-0x75 mscoreei+0xf4bd @ 0x6e7ff4bd _CorExeMain+0x54 GetFileVersion-0x2957 mscoreei+0xf586 @ 0x6e7ff586 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x6f687f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x6f684de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x72083c8c registers.esp: 777868 registers.edi: 0 registers.eax: 1913142412 registers.ebp: 777908 registers.edx: 0 registers.ebx: 0 registers.esi: 1913142412 registers.ecx: 8719720	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 359 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00512000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00555000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00537000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72142000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02290000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02291000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02292000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0213f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02130000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x09160000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 57344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x09161000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0916f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02160000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02161000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02162000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02164000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02165000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02166000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02131000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02167000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:39 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02168000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:39 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:39 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02169000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:39 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0216a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:39 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0216b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:39 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0216c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2021, 5:39 p.m.	process_identifier: 812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72142000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:39 p.m.	process_identifier: 1032 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:39 p.m.	process_identifier: 1032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

edi.exe tried to sleep 288 seconds, actually delayed analysis time by 288 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceW Aug. 5, 2021, 5:39 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1	0
GetDiskFreeSpaceW Aug. 5, 2021, 5:39 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1	0

Steals private information from local Internet browsers (40 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera\wand.dat
file	C:\Users\test22\AppData\Roaming\Opera\Opera7\profile\wand.dat
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\_Bbmzsbjgqtrphzjybyx.vbs

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (4 events)

cmdline	http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0
cmdline	powershell Set-MpPreference -ExclusionPath C:\,'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\outlook.exe'
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\outlook.exe'
cmdline	C:\Windows\SysWOW64\svchost.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\_Bbmzsbjgqtrphzjybyx.vbs

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 5, 2021, 5:39 p.m.	show_type: 0 filepath_r: powershell parameters: Set-MpPreference -ExclusionPath C:\,'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\outlook.exe' filepath: powershell	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (8 events)

Time & API	Arguments	Status	Return
Process32NextW Aug. 5, 2021, 5:39 p.m.	snapshot_handle: 0x00000130 process_name: pw.exe process_identifier: 604	1	1
Process32NextW Aug. 5, 2021, 5:39 p.m.	snapshot_handle: 0x00000130 process_name: taskhost.exe process_identifier: 1568	1	1
Process32NextW Aug. 5, 2021, 5:39 p.m.	snapshot_handle: 0x00000130 process_name: edi.exe process_identifier: 2316	1	1
Process32NextW Aug. 5, 2021, 5:39 p.m.	snapshot_handle: 0x00000130 process_name: iexplore.exe process_identifier: 2908	1	1
Process32NextW Aug. 5, 2021, 5:39 p.m.	snapshot_handle: 0x00000130 process_name: iexplore.exe process_identifier: 1744	1	1
Process32NextW Aug. 5, 2021, 5:39 p.m.	snapshot_handle: 0x00000130 process_name: iexplore.exe process_identifier: 2088	1	1
Process32NextW Aug. 5, 2021, 5:39 p.m.	snapshot_handle: 0x00000130 process_name: svchost.exe process_identifier: 2764	1	1
Process32NextW Aug. 5, 2021, 5:39 p.m.	snapshot_handle: 0x00000130 process_name: edi.exe process_identifier: 2564	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 5, 2021, 5:39 p.m.	process_identifier: 1744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x067a0000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00084200', u'virtual_address': u'0x00002000', u'entropy': 7.997455074300602, u'name': u'.text', u'virtual_size': u'0x00084114'}

entropy

7.9974550743

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00010200', u'virtual_address': u'0x00088000', u'entropy': 7.136329948441091, u'name': u'.rsrc', u'virtual_size': u'0x0001016c'}

entropy

7.13632994844

description

A section with a high entropy has been found

entropy

0.999157540017

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Aug. 5, 2021, 5:38 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 5, 2021, 5:39 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 5, 2021, 5:39 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (50 out of 86 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	browser info stealer	rule	infoStealer_browser_Zero
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg

Queries for potentially installed applications (1 event)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExA Aug. 5, 2021, 5:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian		2	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2908 CREDAT:79875
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2908 CREDAT:145409
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

Communicates with host for which no DNS query was performed (1 event)

host

104.74.214.213

Allocates execute permission to another process indicative of possible code injection (7 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 5, 2021, 5:39 p.m.	process_identifier: 2316 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000280	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:39 p.m.	process_identifier: 540 region_size: 638976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:39 p.m.	process_identifier: 2572 region_size: 638976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000110	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:39 p.m.	process_identifier: 2764 region_size: 638976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000228	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:39 p.m.	process_identifier: 2564 region_size: 491520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000022c	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:39 p.m.	process_identifier: 2180 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000022c	1
NtAllocateVirtualMemory Aug. 5, 2021, 5:39 p.m.	process_identifier: 3036 region_size: 356352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000022c	1

Harvests information related to installed instant messenger clients (5 events)

file	C:\Users\test22\AppData\Roaming\Digsby\digsby.dat
file	C:\Users\test22\AppData\Roaming\MySpace\IM\users.txt
registry	HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords
registry	HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
registry	HKEY_CURRENT_USER\Software\Paltalk

Potential code injection by writing to the memory of another process (24 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ªB0îâ,cîâ,cîâ,cZ~Ýcüâ,cZ~ßcOâ,cZ~Þcðâ,cç¨cïâ,cpBëcìâ,cÕ¼/bôâ,cÕ¼)bÔâ,cÕ¼(bÌâ,cç¿cûâ,cîâ-cñã,cy¼%b±â,c\|¼Ócïâ,cy¼.bïâ,cRichîâ,cPELMSaà l÷0@ÜÔKP80l8Älhl@0t.text¶ `.rdatao0p@@.data\= @À.tls à@À.gfids0ð@@.rsrcÔKL¢@@.reloc8P:î@B base_address: 0x00400000 process_identifier: 2316 process_handle: 0x00000280	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ´tE¸wE²tE..¡FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶F¡FP¶FP¶FP¶FP¶FP¶FP¶FP¶F¡Fÿÿÿÿ¸wE¨¢F¨¢F¨¢F¨¢F¨¢F¡F8zE¸{EEè¡F§FCPSTPDT°¢Fð¢Fÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ§Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨346E.?AVtype_info@@46E.?AVbad_alloc@std@@46E.?AVbad_array_new_length@std@@46E.?AVlogic_error@std@@46E.?AVlength_error@std@@46E.?AVout_of_range@std@@46E.?AV_Facet_base@std@@46E.?AV_Locimp@locale@std@@46E.?AVfacet@locale@std@@46E.?AU_Crt_new_delete@std@@46E.?AVcodecvt_base@std@@46E.?AUctype_base@std@@46E.?AV?$ctype@D@std@@46E.?AV?$codecvt@DDU_Mbstatet@@@std@@46E.?AVbad_exception@std@@46E.H46E.?AVfailure@ios_base@std@@46E.?AVruntime_error@std@@46E.?AVsystem_error@std@@46E.?AVbad_cast@std@@46E.?AV_System_error@std@@46E.?AVexception@std@@ base_address: 0x0046a000 process_identifier: 2316 process_handle: 0x00000280	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: base_address: 0x0046e000 process_identifier: 2316 process_handle: 0x00000280	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: +ÔÔ?¤Ø¾Ø?Ù?)s?ÚuZ55g;Ù.~~Dñìð??m(À'ÆØØ®õÐûõÛÝÛÝÛ(jk¡iæÞ\F£ã¥w¡Ô(´öä¼éÙ b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x0046f000 process_identifier: 2316 process_handle: 0x00000280	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2316 process_handle: 0x00000280	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL~±Æà0Ba @ À @¼`Ol ` H.textA B `.rsrclD@@.reloc F @B base_address: 0x00400000 process_identifier: 540 process_handle: 0x00000100	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: `1 base_address: 0x0049a000 process_identifier: 540 process_handle: 0x00000100	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 540 process_handle: 0x00000100	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL~±Æà0Ba @ À @¼`Ol ` H.textA B `.rsrclD@@.reloc F @B base_address: 0x00400000 process_identifier: 2572 process_handle: 0x00000110	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: `1 base_address: 0x0049a000 process_identifier: 2572 process_handle: 0x00000110	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2572 process_handle: 0x00000110	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL~±Æà0Ba @ À @¼`Ol ` H.textA B `.rsrclD@@.reloc F @B base_address: 0x00400000 process_identifier: 2764 process_handle: 0x00000228	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: `1 base_address: 0x0049a000 process_identifier: 2764 process_handle: 0x00000228	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2764 process_handle: 0x00000228	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: MZ@ÿÿ¸ º´ Í!¸LÍ!Win32 .EXE. $@PEL´Ë^àÐètbà@!f `tpð`X.MPRESS1Pöàà.MPRESS2Þ `øàà.rsrcp@Àv2.19 base_address: 0x00400000 process_identifier: 2564 process_handle: 0x0000022c	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: ð`\|að`ü`aü`aaaa§aaaÄaaaäaa$a÷a$a,a b,a4a&b4a<aAb<aDa[bDaXakaa³aÐaïabb3bMbebGetModuleHandleAGetProcAddressKERNEL32.DLLmsvcrt.dllabsCOMCTL32.dllVERSION.dllVerQueryValueWWININET.dllFindCloseUrlCacheUSER32.dllGetDCGDI32.dllSetBkModecomdlg32.dllFindTextWADVAPI32.dllRegCloseKeySHELL32.dllSHGetMallocole32.dllCoInitialize`èXZ0ð+ÀþfÁàÈP+ÈñÈWQID91uö+À¬Èáð$Ááè¬ÈQÍ½ýÿÿÓåYXÜ¤lñÿÿQ+ÉQQÌQfÁâRWÁQPÁVQè^ã^Z+À2´+Ð+É;Ês&Ù¬A$þ<èuòCÁÀx;ÂsåëÃxßÂ+ÃFüëÖè_ÇMÿÿÿ°éª¸V«èX é UWVSì\|$ÇD$tÆD$s¬$BD$x¸¶JØÓãËIL$l¶JÓàHD$h$¨¶2ÇEÇD$`Ç¸t$dÇD$\ÇD$XÇD$TÇD$P¶JÎÓà69L$tsD$xfÇÀâö$3ÿÇD$HÿÿÿÿÓ$T$L3Ò;\$L} ¶ÁçBCøú~ç$¤9L$te t$t#t$lD$`T$xÁàt$DÆ\|$Hÿÿÿ,Bw;\$L- Ád$H¶ÁçCøD$HfUÁè·Ê¯Á;øÝD$H¸+ÁL$dÁø¾¶T$sfED$t#D$hl$xÓà¹+L$dÓúÂiÀ\|$`(lD$ÊD$t+D$\$ ¶D$@Ñd$@L$@6l$á\|$HÿÿÿDML$<,w;\$LaÁd$H¶ÁçCøD$HfÁè·ñ¯Æ;øs#D$H¸+ÆòÁø\|$<ft"ë.)D$H+øÁrfÁèf+È\|$<ftþÿWÿÿÿëyþÿq6l$ê\|$Hÿÿÿw;\$LÅÁd$H¶ÁçCøD$HfMÁè·ñ¯Æ;øsD$H¸+ÆòÁøfEë)D$H+øÁrfÁèf+ÈfMëT$tÆ$ D$sB\|$`T$t ÇD$`é\|$` l$`él$`éL$H+øt$`+ÈÂfÁèf+ÐùÿÿÿfUl$xtut$8w;\$Lò¶ÁçÁáCøl$8ÁÁèf·ê¯Å;øsRð¸+Ål$XÁøL$TT$8L$PL$xfD$\l$TD$X3À\|$`ÀÁd@D$`étñ+ø+ðÂfÁèL$8f+Ðþÿÿÿfw;\$LN¶ÁçÁæCøl$8ÖÁêf·Á¯Ð;úã½ò+èÇD$4ÅÁøL$8fD$`L$DÁàD$xúÿÿÿ,Hw;\$LÜ¶ÁçÁæCøfàÆÁè·Ê¯Á;øs`)L$4Á\|$4t$4D$H\|$tfà3À\|$`¬$ T$tÀD D$`D$t+D$\(D$sDBT$té2+ð+øÂfÁèf+ÐfàéÁ+òfÁèl$8f+È+úþÿÿÿfw;\$L¶ÁçÁæCøL$8ÆÁèf°·Ê¯Á;øs#ð¸+Ál$8Áøf°D$Xé Î+ø+ÈÂfÁèf+ÐD$8ùÿÿÿf°w;\$L¢¶ÁçÁáCøt$8ÁÁèfÈ·ê¯Å;øs ð¸+Ål$8ÁøfÈD$Të&ñ+ø+ðÂfÁèf+ÐD$8fÈT$TD$PT$PL$XL$Tl$\D$\l$X3À\|$`L$xÀÁh D@D$`þÿÿÿw;\$Lô¶ÁçÁæCøfÆÁè·ê¯Å;øs/D$H¸+ÅÁd$DÁøÇD$,fD$DLL$ër+ð+øÂfÁèf+Ðþÿÿÿfw;\$L¶ÁçÁæCøfQÆÁè·ê¯Å;øs;D$H¸+ÅÁd$DÁøÇD$,T$DfA L$ÇD$0ë/+ð+øÂt$HfÁèÇD$,f+ÐÇD$0fQÁL$L$0ºL$(,t$õ\|$Hÿÿÿw;\$LÒÁd$H¶ÁçCøD$HfÁè·Ê¯Á;øsD$H¸+ÁÁøÕfë)D$H+øÂfÁèf+ÐfUt$(Nt$(uL$0¸Óà+ÐT$,\|$`T$çD$`úÂ~¸t$xÁàÇD$$0`D$¸,t$õ\|$Hÿÿÿw;\$LÁd$H¶ÁçCøD$HfÁè·Ê¯Á;øsD$H¸+ÁÁøfÅë)D$H+øÂfÁèf+ÐEfl$$Ml$$uPÀú$'ÂòÑøæHÿÎú L$ l$xÓæÒ4$Du+Â^D$ëVPû\|$Hÿÿÿw;\$LWÁd$H¶ÁçCøÑl$Hö;\|$Hr+\|$HÎJuÈD$xÁæ4$DÇD$ D$ÇD$¸l$ÀD$è\|$Hÿÿÿw;\$LëÁd$H¶ÁçCøD$HfUÁè·ò¯Æ;øsD$H¸+ÆÁøfED$ë)D$H+øÂfÁèf+ÐD$fUT$@ $L$ Ñd$IL$ pÿÿÿ4$Ft$\tZL$l$tÁ9l$\w`$ Õ+D$\$ tFD$sBÿD$tIt¬$¤9l$trâë$¤9D$tºöÿÿ\|$Hÿÿÿw;\$L¸t)ë¸ë C+$3À$L$t$¨Ä\|[^_]Ãéä þÿ,¢øÿMs base_address: 0x00476000 process_identifier: 2564 process_handle: 0x0000022c	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: (0p`BIN2H ` 2@ä Ð ø# &H'p/0À?è@R8 èàH4ä KVä 8lLXä `ÄLöä ¼MÚä °NDä ØÜN ä üOºä (¸Pbä PQhäx r\|ä\|4VS_VERSION_INFO½ïþ?ÚStringFileInfo¶040904b00CompanyNameNirSoft`FileDescriptionWeb Browser Password Viewer*FileVersion2.06LInternalNameWeb Browser Pass Viewh"LegalCopyrightCopyright © 2011 - 2020 Nir Sofer.ProductVersion2.06DVarFileInfo$Translation ° base_address: 0x00477000 process_identifier: 2564 process_handle: 0x0000022c	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2564 process_handle: 0x0000022c	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: MZ@ÿÿ¸ º´ Í!¸LÍ!Win32 .EXE. $@PEL»üiTà2¶"P@@÷ 0È H.MPRESS1Öàà.MPRESS2p Øàà.rsrc0æ@Àv2.19 base_address: 0x00400000 process_identifier: 2180 process_handle: 0x0000022c	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: È D!È Ô Q!Ô Ü b!Ü ä o!ä ì !ì ô !ô ü ¸!ü !Ó!!!í!! !3!\!z!!¥!Å!ß!÷!GetModuleHandleAGetProcAddressKERNEL32.DLLmsvcrt.dllabsCOMCTL32.dllUSER32.dllGetDCGDI32.dllSetBkModecomdlg32.dllGetSaveFileNameAADVAPI32.dllRegEnumKeyASHELL32.dllSHGetMallocole32.dllCoInitialize`èXZ0ð+ÀþfÁàÈP+ÈñÈWQID91uö+À¬Èáð$Ááè¬ÈQÍ½ýÿÿÓåYXÜ¤lñÿÿQ+ÉQQÌQfÁâRWÁQPÁVQè^ã^Z+À2´+Ð+É;Ês&Ù¬A$þ<èuòCÁÀx;ÂsåëÃxßÂ+ÃFüëÖè_ÇMÿÿÿ°éª¸V«èX é UWVSì\|$ÇD$tÆD$s¬$BD$x¸¶JØÓãËIL$l¶JÓàHD$h$¨¶2ÇEÇD$`Ç¸t$dÇD$\ÇD$XÇD$TÇD$P¶JÎÓà69L$tsD$xfÇÀâö$3ÿÇD$HÿÿÿÿÓ$T$L3Ò;\$L} ¶ÁçBCøú~ç$¤9L$te t$t#t$lD$`T$xÁàt$DÆ\|$Hÿÿÿ,Bw;\$L- Ád$H¶ÁçCøD$HfUÁè·Ê¯Á;øÝD$H¸+ÁL$dÁø¾¶T$sfED$t#D$hl$xÓà¹+L$dÓúÂiÀ\|$`(lD$ÊD$t+D$\$ ¶D$@Ñd$@L$@6l$á\|$HÿÿÿDML$<,w;\$LaÁd$H¶ÁçCøD$HfÁè·ñ¯Æ;øs#D$H¸+ÆòÁø\|$<ft"ë.)D$H+øÁrfÁèf+È\|$<ftþÿWÿÿÿëyþÿq6l$ê\|$Hÿÿÿw;\$LÅÁd$H¶ÁçCøD$HfMÁè·ñ¯Æ;øsD$H¸+ÆòÁøfEë)D$H+øÁrfÁèf+ÈfMëT$tÆ$ D$sB\|$`T$t ÇD$`é\|$` l$`él$`éL$H+øt$`+ÈÂfÁèf+ÐùÿÿÿfUl$xtut$8w;\$Lò¶ÁçÁáCøl$8ÁÁèf·ê¯Å;øsRð¸+Ål$XÁøL$TT$8L$PL$xfD$\l$TD$X3À\|$`ÀÁd@D$`étñ+ø+ðÂfÁèL$8f+Ðþÿÿÿfw;\$LN¶ÁçÁæCøl$8ÖÁêf·Á¯Ð;úã½ò+èÇD$4ÅÁøL$8fD$`L$DÁàD$xúÿÿÿ,Hw;\$LÜ¶ÁçÁæCøfàÆÁè·Ê¯Á;øs`)L$4Á\|$4t$4D$H\|$tfà3À\|$`¬$ T$tÀD D$`D$t+D$\(D$sDBT$té2+ð+øÂfÁèf+ÐfàéÁ+òfÁèl$8f+È+úþÿÿÿfw;\$L¶ÁçÁæCøL$8ÆÁèf°·Ê¯Á;øs#ð¸+Ál$8Áøf°D$Xé Î+ø+ÈÂfÁèf+ÐD$8ùÿÿÿf°w;\$L¢¶ÁçÁáCøt$8ÁÁèfÈ·ê¯Å;øs ð¸+Ål$8ÁøfÈD$Të&ñ+ø+ðÂfÁèf+ÐD$8fÈT$TD$PT$PL$XL$Tl$\D$\l$X3À\|$`L$xÀÁh D@D$`þÿÿÿw;\$Lô¶ÁçÁæCøfÆÁè·ê¯Å;øs/D$H¸+ÅÁd$DÁøÇD$,fD$DLL$ër+ð+øÂfÁèf+Ðþÿÿÿfw;\$L¶ÁçÁæCøfQÆÁè·ê¯Å;øs;D$H¸+ÅÁd$DÁøÇD$,T$DfA L$ÇD$0ë/+ð+øÂt$HfÁèÇD$,f+ÐÇD$0fQÁL$L$0ºL$(,t$õ\|$Hÿÿÿw;\$LÒÁd$H¶ÁçCøD$HfÁè·Ê¯Á;øsD$H¸+ÁÁøÕfë)D$H+øÂfÁèf+ÐfUt$(Nt$(uL$0¸Óà+ÐT$,\|$`T$çD$`úÂ~¸t$xÁàÇD$$0`D$¸,t$õ\|$Hÿÿÿw;\$LÁd$H¶ÁçCøD$HfÁè·Ê¯Á;øsD$H¸+ÁÁøfÅë)D$H+øÂfÁèf+ÐEfl$$Ml$$uPÀú$'ÂòÑøæHÿÎú L$ l$xÓæÒ4$Du+Â^D$ëVPû\|$Hÿÿÿw;\$LWÁd$H¶ÁçCøÑl$Hö;\|$Hr+\|$HÎJuÈD$xÁæ4$DÇD$ D$ÇD$¸l$ÀD$è\|$Hÿÿÿw;\$LëÁd$H¶ÁçCøD$HfUÁè·ò¯Æ;øsD$H¸+ÆÁøfED$ë)D$H+øÂfÁèf+ÐD$fUT$@ $L$ Ñd$IL$ pÿÿÿ4$Ft$\tZL$l$tÁ9l$\w`$ Õ+D$\$ tFD$sBÿD$tIt¬$¤9l$trâë$¤9D$tºöÿÿ\|$Hÿÿÿw;\$L¸t)ë¸ë C+$3À$L$t$¨Ä\|[^_]Ãé ÿÿâýÿMs base_address: 0x00422000 process_identifier: 2180 process_handle: 0x0000022c	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2180 process_handle: 0x0000022c	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: MZ@ÿÿ¸ º´ Í!¸LÍ!Win32 .EXE. $@PEL;à]à:â8RP@p#ù P8`ÜPP.MPRESS1@´àà.MPRESS2¢ P¶àà.rsrc`Ä@Àv2.19 base_address: 0x00400000 process_identifier: 3036 process_handle: 0x0000022c	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: ÜP`QÜPèPmQèPðP~QðPøPQøPQ¨QQQ»QQQÑQQQêQQ QR Q(QR(Q<QOQxQQ³QÅQÞQ÷QR)RGetModuleHandleAGetProcAddressKERNEL32.DLLmsvcrt.dlllogCOMCTL32.dllRPCRT4.dllUuidFromStringAUSER32.dllGetDCGDI32.dllSetBkModecomdlg32.dllFindTextAADVAPI32.dllRegEnumKeyASHELL32.dllSHGetMallocole32.dllCoInitialize`èXZ0ð+ÀþfÁàÈP+ÈñÈWQID91uö+À¬Èáð$Ááè¬ÈQÍ½ýÿÿÓåYXÜ¤lñÿÿQ+ÉQQÌQfÁâRWÁQPÁVQè^ã^Z+À2´+Ð+É;Ês&Ù¬A$þ<èuòCÁÀx;ÂsåëÃxßÂ+ÃFüëÖè_ÇMÿÿÿ°éª¸V«èX é UWVSì\|$ÇD$tÆD$s¬$BD$x¸¶JØÓãËIL$l¶JÓàHD$h$¨¶2ÇEÇD$`Ç¸t$dÇD$\ÇD$XÇD$TÇD$P¶JÎÓà69L$tsD$xfÇÀâö$3ÿÇD$HÿÿÿÿÓ$T$L3Ò;\$L} ¶ÁçBCøú~ç$¤9L$te t$t#t$lD$`T$xÁàt$DÆ\|$Hÿÿÿ,Bw;\$L- Ád$H¶ÁçCøD$HfUÁè·Ê¯Á;øÝD$H¸+ÁL$dÁø¾¶T$sfED$t#D$hl$xÓà¹+L$dÓúÂiÀ\|$`(lD$ÊD$t+D$\$ ¶D$@Ñd$@L$@6l$á\|$HÿÿÿDML$<,w;\$LaÁd$H¶ÁçCøD$HfÁè·ñ¯Æ;øs#D$H¸+ÆòÁø\|$<ft"ë.)D$H+øÁrfÁèf+È\|$<ftþÿWÿÿÿëyþÿq6l$ê\|$Hÿÿÿw;\$LÅÁd$H¶ÁçCøD$HfMÁè·ñ¯Æ;øsD$H¸+ÆòÁøfEë)D$H+øÁrfÁèf+ÈfMëT$tÆ$ D$sB\|$`T$t ÇD$`é\|$` l$`él$`éL$H+øt$`+ÈÂfÁèf+ÐùÿÿÿfUl$xtut$8w;\$Lò¶ÁçÁáCøl$8ÁÁèf·ê¯Å;øsRð¸+Ål$XÁøL$TT$8L$PL$xfD$\l$TD$X3À\|$`ÀÁd@D$`étñ+ø+ðÂfÁèL$8f+Ðþÿÿÿfw;\$LN¶ÁçÁæCøl$8ÖÁêf·Á¯Ð;úã½ò+èÇD$4ÅÁøL$8fD$`L$DÁàD$xúÿÿÿ,Hw;\$LÜ¶ÁçÁæCøfàÆÁè·Ê¯Á;øs`)L$4Á\|$4t$4D$H\|$tfà3À\|$`¬$ T$tÀD D$`D$t+D$\(D$sDBT$té2+ð+øÂfÁèf+ÐfàéÁ+òfÁèl$8f+È+úþÿÿÿfw;\$L¶ÁçÁæCøL$8ÆÁèf°·Ê¯Á;øs#ð¸+Ál$8Áøf°D$Xé Î+ø+ÈÂfÁèf+ÐD$8ùÿÿÿf°w;\$L¢¶ÁçÁáCøt$8ÁÁèfÈ·ê¯Å;øs ð¸+Ål$8ÁøfÈD$Të&ñ+ø+ðÂfÁèf+ÐD$8fÈT$TD$PT$PL$XL$Tl$\D$\l$X3À\|$`L$xÀÁh D@D$`þÿÿÿw;\$Lô¶ÁçÁæCøfÆÁè·ê¯Å;øs/D$H¸+ÅÁd$DÁøÇD$,fD$DLL$ër+ð+øÂfÁèf+Ðþÿÿÿfw;\$L¶ÁçÁæCøfQÆÁè·ê¯Å;øs;D$H¸+ÅÁd$DÁøÇD$,T$DfA L$ÇD$0ë/+ð+øÂt$HfÁèÇD$,f+ÐÇD$0fQÁL$L$0ºL$(,t$õ\|$Hÿÿÿw;\$LÒÁd$H¶ÁçCøD$HfÁè·Ê¯Á;øsD$H¸+ÁÁøÕfë)D$H+øÂfÁèf+ÐfUt$(Nt$(uL$0¸Óà+ÐT$,\|$`T$çD$`úÂ~¸t$xÁàÇD$$0`D$¸,t$õ\|$Hÿÿÿw;\$LÁd$H¶ÁçCøD$HfÁè·Ê¯Á;øsD$H¸+ÁÁøfÅë)D$H+øÂfÁèf+ÐEfl$$Ml$$uPÀú$'ÂòÑøæHÿÎú L$ l$xÓæÒ4$Du+Â^D$ëVPû\|$Hÿÿÿw;\$LWÁd$H¶ÁçCøÑl$Hö;\|$Hr+\|$HÎJuÈD$xÁæ4$DÇD$ D$ÇD$¸l$ÀD$è\|$Hÿÿÿw;\$LëÁd$H¶ÁçCøD$HfUÁè·ò¯Æ;øsD$H¸+ÆÁøfED$ë)D$H+øÂfÁèf+ÐD$fUT$@ $L$ Ñd$IL$ pÿÿÿ4$Ft$\tZL$l$tÁ9l$\w`$ Õ+D$\$ tFD$sBÿD$tIt¬$¤9l$trâë$¤9D$tºöÿÿ\|$Hÿÿÿw;\$L¸t)ë¸ë C+$3À$L$t$¨Ä\|[^_]Ãé5ìþÿh²úÿMs base_address: 0x00455000 process_identifier: 3036 process_handle: 0x0000022c	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3036 process_handle: 0x0000022c	1	1

Code injection by writing an executable or DLL to the memory of another process (7 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ªB0îâ,cîâ,cîâ,cZ~Ýcüâ,cZ~ßcOâ,cZ~Þcðâ,cç¨cïâ,cpBëcìâ,cÕ¼/bôâ,cÕ¼)bÔâ,cÕ¼(bÌâ,cç¿cûâ,cîâ-cñã,cy¼%b±â,c\|¼Ócïâ,cy¼.bïâ,cRichîâ,cPELMSaà l÷0@ÜÔKP80l8Älhl@0t.text¶ `.rdatao0p@@.data\= @À.tls à@À.gfids0ð@@.rsrcÔKL¢@@.reloc8P:î@B base_address: 0x00400000 process_identifier: 2316 process_handle: 0x00000280	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL~±Æà0Ba @ À @¼`Ol ` H.textA B `.rsrclD@@.reloc F @B base_address: 0x00400000 process_identifier: 540 process_handle: 0x00000100	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL~±Æà0Ba @ À @¼`Ol ` H.textA B `.rsrclD@@.reloc F @B base_address: 0x00400000 process_identifier: 2572 process_handle: 0x00000110	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL~±Æà0Ba @ À @¼`Ol ` H.textA B `.rsrclD@@.reloc F @B base_address: 0x00400000 process_identifier: 2764 process_handle: 0x00000228	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: MZ@ÿÿ¸ º´ Í!¸LÍ!Win32 .EXE. $@PEL´Ë^àÐètbà@!f `tpð`X.MPRESS1Pöàà.MPRESS2Þ `øàà.rsrcp@Àv2.19 base_address: 0x00400000 process_identifier: 2564 process_handle: 0x0000022c	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: MZ@ÿÿ¸ º´ Í!¸LÍ!Win32 .EXE. $@PEL»üiTà2¶"P@@÷ 0È H.MPRESS1Öàà.MPRESS2p Øàà.rsrc0æ@Àv2.19 base_address: 0x00400000 process_identifier: 2180 process_handle: 0x0000022c	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: MZ@ÿÿ¸ º´ Í!¸LÍ!Win32 .EXE. $@PEL;à]à:â8RP@p#ù P8`ÜPP.MPRESS1@´àà.MPRESS2¢ P¶àà.rsrc`Ä@Àv2.19 base_address: 0x00400000 process_identifier: 3036 process_handle: 0x0000022c	1	1

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA Aug. 5, 2021, 5:39 p.m.	thread_identifier: 0 callback_function: 0x004088ca hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	9896771	0

File has been identified by 10 AntiVirus engines on VirusTotal as malicious (10 events)

Cylance	Unsafe
CrowdStrike	win/malicious_confidence_80% (W)
APEX	Malicious
MaxSecure	Trojan.Malware.300983.susgen
FireEye	Generic.mg.6a1e010d4b1a7f82
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Cynet	Malicious (score: 100)
Malwarebytes	MachineLearning/Anomalous.96%
eGambit	Unsafe.AI_Score_99%
Cybereason	malicious.d87b82

Harvests credentials from local email clients (6 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
registry	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird
registry	HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (14 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2216 called NtSetContextThread to modify thread in remote process 2316
Process injection	Process 2316 called NtSetContextThread to modify thread in remote process 540
Process injection	Process 2316 called NtSetContextThread to modify thread in remote process 2572
Process injection	Process 2316 called NtSetContextThread to modify thread in remote process 2764
Process injection	Process 2316 called NtSetContextThread to modify thread in remote process 2564
Process injection	Process 2316 called NtSetContextThread to modify thread in remote process 2180
Process injection	Process 2316 called NtSetContextThread to modify thread in remote process 3036
NtSetContextThread Aug. 5, 2021, 5:39 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4388716 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003e8 process_identifier: 2316	1	0	0
NtSetContextThread Aug. 5, 2021, 5:39 p.m.	registers.eip: 2000355780 registers.esp: 1572168 registers.edi: 0 registers.eax: 4743438 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000fc process_identifier: 540	1	0	0
NtSetContextThread Aug. 5, 2021, 5:39 p.m.	registers.eip: 2000355780 registers.esp: 1374820 registers.edi: 0 registers.eax: 4743438 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000104 process_identifier: 2572	1	0	0
NtSetContextThread Aug. 5, 2021, 5:39 p.m.	registers.eip: 2000355780 registers.esp: 785900 registers.edi: 0 registers.eax: 4743438 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000011c process_identifier: 2764	1	0	0
NtSetContextThread Aug. 5, 2021, 5:39 p.m.	registers.eip: 2000355780 registers.esp: 3538744 registers.edi: 0 registers.eax: 4678260 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000220 process_identifier: 2564	1	0	0
NtSetContextThread Aug. 5, 2021, 5:39 p.m.	registers.eip: 2000355780 registers.esp: 3275448 registers.edi: 0 registers.eax: 4334086 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000220 process_identifier: 2180	1	0	0
NtSetContextThread Aug. 5, 2021, 5:39 p.m.	registers.eip: 2000355780 registers.esp: 1441636 registers.edi: 0 registers.eax: 4543032 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000220 process_identifier: 3036	1	0	0

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	powershell Set-MpPreference -ExclusionPath C:\,'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\outlook.exe'
parent_process	wscript.exe				martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\outlook.exe'

Resumed a suspended thread in a remote process potentially indicative of process injection (18 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2216 resumed a thread in remote process 2316
Process injection	Process 2316 resumed a thread in remote process 540
Process injection	Process 2316 resumed a thread in remote process 2572
Process injection	Process 2316 resumed a thread in remote process 2764
Process injection	Process 2316 resumed a thread in remote process 2564
Process injection	Process 2316 resumed a thread in remote process 2180
Process injection	Process 2316 resumed a thread in remote process 3036
Process injection	Process 2908 resumed a thread in remote process 1744
Process injection	Process 2908 resumed a thread in remote process 2088
NtResumeThread Aug. 5, 2021, 5:39 p.m.	thread_handle: 0x000003e8 suspend_count: 1 process_identifier: 2316	1	0	0
NtResumeThread Aug. 5, 2021, 5:39 p.m.	thread_handle: 0x000000fc suspend_count: 1 process_identifier: 540	1	0	0
NtResumeThread Aug. 5, 2021, 5:39 p.m.	thread_handle: 0x00000104 suspend_count: 1 process_identifier: 2572	1	0	0
NtResumeThread Aug. 5, 2021, 5:39 p.m.	thread_handle: 0x0000011c suspend_count: 1 process_identifier: 2764	1	0	0
NtResumeThread Aug. 5, 2021, 5:39 p.m.	thread_handle: 0x00000220 suspend_count: 1 process_identifier: 2564	1	0	0
NtResumeThread Aug. 5, 2021, 5:39 p.m.	thread_handle: 0x00000220 suspend_count: 1 process_identifier: 2180	1	0	0
NtResumeThread Aug. 5, 2021, 5:39 p.m.	thread_handle: 0x00000220 suspend_count: 1 process_identifier: 3036	1	0	0
NtResumeThread Aug. 5, 2021, 5:39 p.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 1744	1	0	0
NtResumeThread Aug. 5, 2021, 5:39 p.m.	thread_handle: 0x00000554 suspend_count: 1 process_identifier: 2088	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 104 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 5, 2021, 5:38 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2216	1	0
NtResumeThread Aug. 5, 2021, 5:38 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2216	1	0
NtResumeThread Aug. 5, 2021, 5:38 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2216	1	0
CreateProcessInternalW Aug. 5, 2021, 5:39 p.m.	thread_identifier: 808 thread_handle: 0x000003e4 process_identifier: 812 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\wscript.exe track: 1 command_line: "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\_Bbmzsbjgqtrphzjybyx.vbs" filepath_r: C:\Windows\System32\WScript.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003d8	1	1
CreateProcessInternalW Aug. 5, 2021, 5:39 p.m.	thread_identifier: 1240 thread_handle: 0x000003e8 process_identifier: 2316 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\edi.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000280	1	1
NtGetContextThread Aug. 5, 2021, 5:39 p.m.	thread_handle: 0x000003e8	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 5:39 p.m.	process_identifier: 2316 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000280	1	0
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ªB0îâ,cîâ,cîâ,cZ~Ýcüâ,cZ~ßcOâ,cZ~Þcðâ,cç¨cïâ,cpBëcìâ,cÕ¼/bôâ,cÕ¼)bÔâ,cÕ¼(bÌâ,cç¿cûâ,cîâ-cñã,cy¼%b±â,c\|¼Ócïâ,cy¼.bïâ,cRichîâ,cPELMSaà l÷0@ÜÔKP80l8Älhl@0t.text¶ `.rdatao0p@@.data\= @À.tls à@À.gfids0ð@@.rsrcÔKL¢@@.reloc8P:î@B base_address: 0x00400000 process_identifier: 2316 process_handle: 0x00000280	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: base_address: 0x00401000 process_identifier: 2316 process_handle: 0x00000280	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: base_address: 0x00453000 process_identifier: 2316 process_handle: 0x00000280	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ´tE¸wE²tE..¡FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶F¡FP¶FP¶FP¶FP¶FP¶FP¶FP¶F¡Fÿÿÿÿ¸wE¨¢F¨¢F¨¢F¨¢F¨¢F¡F8zE¸{EEè¡F§FCPSTPDT°¢Fð¢Fÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ§Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨346E.?AVtype_info@@46E.?AVbad_alloc@std@@46E.?AVbad_array_new_length@std@@46E.?AVlogic_error@std@@46E.?AVlength_error@std@@46E.?AVout_of_range@std@@46E.?AV_Facet_base@std@@46E.?AV_Locimp@locale@std@@46E.?AVfacet@locale@std@@46E.?AU_Crt_new_delete@std@@46E.?AVcodecvt_base@std@@46E.?AUctype_base@std@@46E.?AV?$ctype@D@std@@46E.?AV?$codecvt@DDU_Mbstatet@@@std@@46E.?AVbad_exception@std@@46E.H46E.?AVfailure@ios_base@std@@46E.?AVruntime_error@std@@46E.?AVsystem_error@std@@46E.?AVbad_cast@std@@46E.?AV_System_error@std@@46E.?AVexception@std@@ base_address: 0x0046a000 process_identifier: 2316 process_handle: 0x00000280	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: base_address: 0x0046e000 process_identifier: 2316 process_handle: 0x00000280	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: +ÔÔ?¤Ø¾Ø?Ù?)s?ÚuZ55g;Ù.~~Dñìð??m(À'ÆØØ®õÐûõÛÝÛÝÛ(jk¡iæÞ\F£ã¥w¡Ô(´öä¼éÙ b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x0046f000 process_identifier: 2316 process_handle: 0x00000280	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: base_address: 0x00470000 process_identifier: 2316 process_handle: 0x00000280	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: base_address: 0x00475000 process_identifier: 2316 process_handle: 0x00000280	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2316 process_handle: 0x00000280	1	1
NtSetContextThread Aug. 5, 2021, 5:39 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4388716 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003e8 process_identifier: 2316	1	0
NtResumeThread Aug. 5, 2021, 5:39 p.m.	thread_handle: 0x000003e8 suspend_count: 1 process_identifier: 2316	1	0
CreateProcessInternalW Aug. 5, 2021, 5:39 p.m.	thread_identifier: 2416 thread_handle: 0x000002e8 process_identifier: 1032 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\outlook.exe' filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002f0	1	1
CreateProcessInternalW Aug. 5, 2021, 5:39 p.m.	thread_identifier: 1224 thread_handle: 0x000000fc process_identifier: 540 current_directory: filepath: track: 1 command_line: C:\Windows\SysWOW64\svchost.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000100	1	1
NtGetContextThread Aug. 5, 2021, 5:39 p.m.	thread_handle: 0x000000fc	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 5:39 p.m.	process_identifier: 540 region_size: 638976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000100	1	0
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL~±Æà0Ba @ À @¼`Ol ` H.textA B `.rsrclD@@.reloc F @B base_address: 0x00400000 process_identifier: 540 process_handle: 0x00000100	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: base_address: 0x00402000 process_identifier: 540 process_handle: 0x00000100	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: base_address: 0x00488000 process_identifier: 540 process_handle: 0x00000100	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: `1 base_address: 0x0049a000 process_identifier: 540 process_handle: 0x00000100	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 540 process_handle: 0x00000100	1	1
NtSetContextThread Aug. 5, 2021, 5:39 p.m.	registers.eip: 2000355780 registers.esp: 1572168 registers.edi: 0 registers.eax: 4743438 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000fc process_identifier: 540	1	0
NtResumeThread Aug. 5, 2021, 5:39 p.m.	thread_handle: 0x000000fc suspend_count: 1 process_identifier: 540	1	0
CreateProcessInternalW Aug. 5, 2021, 5:39 p.m.	thread_identifier: 2704 thread_handle: 0x00000104 process_identifier: 2572 current_directory: filepath: track: 1 command_line: C:\Windows\SysWOW64\svchost.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000110	1	1
NtGetContextThread Aug. 5, 2021, 5:39 p.m.	thread_handle: 0x00000104	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 5:39 p.m.	process_identifier: 2572 region_size: 638976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000110	1	0
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL~±Æà0Ba @ À @¼`Ol ` H.textA B `.rsrclD@@.reloc F @B base_address: 0x00400000 process_identifier: 2572 process_handle: 0x00000110	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: base_address: 0x00402000 process_identifier: 2572 process_handle: 0x00000110	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: base_address: 0x00488000 process_identifier: 2572 process_handle: 0x00000110	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: `1 base_address: 0x0049a000 process_identifier: 2572 process_handle: 0x00000110	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2572 process_handle: 0x00000110	1	1
NtSetContextThread Aug. 5, 2021, 5:39 p.m.	registers.eip: 2000355780 registers.esp: 1374820 registers.edi: 0 registers.eax: 4743438 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000104 process_identifier: 2572	1	0
NtResumeThread Aug. 5, 2021, 5:39 p.m.	thread_handle: 0x00000104 suspend_count: 1 process_identifier: 2572	1	0
CreateProcessInternalW Aug. 5, 2021, 5:39 p.m.	thread_identifier: 2480 thread_handle: 0x0000011c process_identifier: 2764 current_directory: filepath: track: 1 command_line: C:\Windows\SysWOW64\svchost.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000228	1	1
NtGetContextThread Aug. 5, 2021, 5:39 p.m.	thread_handle: 0x0000011c	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 5:39 p.m.	process_identifier: 2764 region_size: 638976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000228	1	0
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL~±Æà0Ba @ À @¼`Ol ` H.textA B `.rsrclD@@.reloc F @B base_address: 0x00400000 process_identifier: 2764 process_handle: 0x00000228	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: base_address: 0x00402000 process_identifier: 2764 process_handle: 0x00000228	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: base_address: 0x00488000 process_identifier: 2764 process_handle: 0x00000228	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: `1 base_address: 0x0049a000 process_identifier: 2764 process_handle: 0x00000228	1	1
WriteProcessMemory Aug. 5, 2021, 5:39 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2764 process_handle: 0x00000228	1	1
NtSetContextThread Aug. 5, 2021, 5:39 p.m.	registers.eip: 2000355780 registers.esp: 785900 registers.edi: 0 registers.eax: 4743438 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000011c process_identifier: 2764	1	0
NtResumeThread Aug. 5, 2021, 5:39 p.m.	thread_handle: 0x0000011c suspend_count: 1 process_identifier: 2764	1	0
CreateProcessInternalW Aug. 5, 2021, 5:39 p.m.	thread_identifier: 2620 thread_handle: 0x00000220 process_identifier: 2564 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\edi.exe /stext "C:\Users\test22\AppData\Local\Temp\ozdweyveusxkjlmjfnuehefwbqbf" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000022c	1	1

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (21 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

edi.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All