Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 2, 2021, 9:14 a.m.	Sept. 2, 2021, 9:16 a.m.

Size	1.1MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`6c0795e7a1460e3eb294d63e6961bd1c`
SHA256	`41747df22b65966e54d0a78b87b8255fe0fbc5fe6f9bacbc4d523c38f006fea5`
CRC32	`A1E42AED`
ssdeep	`24576:ZcYOnMZe/oeLjLZ4A6DRxsc9KWrhgZdGR4:ZbOnM0AAjLZlCCRlf`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

templefirstzx.exe "C:\Users\test22\AppData\Local\Temp\templefirstzx.exe"
2500
- templefirstzx.exe "C:\Users\test22\AppData\Local\Temp\templefirstzx.exe"
  2200
  - ._cache_templefirstzx.exe "C:\Users\test22\AppData\Local\Temp\._cache_templefirstzx.exe"
    1784
  - Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    240
    - Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe"
      900
      - ._cache_Synaptics.exe "C:\Users\test22\AppData\Local\Temp\._cache_Synaptics.exe"
        1164

Name	Response	Post-Analysis Lookup
www.artjohntravis.com	A 34.102.136.180 CNAME artjohntravis.com	34.102.136.180
www.privsec-mail.com
www.algarmotorcars.com	CNAME www107.wixdns.net CNAME balancer.wixdns.net CNAME 47363d5c-balancer.wixdns.net CNAME td-balancer-ae1-190-141.wixdns.net A 34.80.190.141	34.80.190.141
xred.mooo.com
www.livingalcohol.com	CNAME livingalcohol.com A 34.102.136.180	34.102.136.180
xred.site50.net	A 153.92.0.100	153.92.0.100
docs.google.com	A 172.217.26.14	172.217.26.14
freedns.afraid.org	A 69.42.215.252 A 50.23.197.95	69.42.215.252
www.mcinerneychrysler.com	CNAME le0437.secure.dealer.com.edgekey.net CNAME e14945.dscx.akamaiedge.net A 104.74.219.56	104.74.219.56
www.000webhost.com	A 104.19.185.120 A 104.19.184.120	104.19.184.120
www.6972399.com
www.thepink.club	A 99.83.154.118	99.83.154.118
www.vnielvmdqxk538.xyz	A 72.52.178.23	72.52.178.23
www.secure-dwellant.com
www.ceaice.com
www.dropbox.com	CNAME www-env.dropbox-dns.com A 162.125.84.18	162.125.84.18

IP Address	Status	Action
104.19.185.120	Active	Moloch
104.74.219.56	Active	Moloch
153.92.0.100	Active	Moloch
162.125.84.18	Active	Moloch
164.124.101.2	Active	Moloch
172.217.26.14	Active	Moloch
34.102.136.180	Active	Moloch
34.80.190.141	Active	Moloch
69.42.215.252	Active	Moloch
72.52.178.23	Active	Moloch
99.83.154.118	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49168 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 72.52.178.23:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 72.52.178.23:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 72.52.178.23:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 72.52.178.23:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.102:49171 -> 104.74.219.56:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 104.74.219.56:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 104.74.219.56:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 162.125.84.18:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49182 -> 172.217.26.14:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.102:64472 -> 164.124.101.2:53	2015633	ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com	Misc activity
TCP 192.168.56.102:49185 -> 104.19.185.120:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.125.84.18:443 -> 192.168.56.102:49183	2012647	ET POLICY Dropbox.com Offsite File Backup in Use	Potential Corporate Privacy Violation
TCP 192.168.56.102:49184 -> 153.92.0.100:80	2013224	ET HUNTING Suspicious User-Agent Containing .exe	A Network Trojan was detected
TCP 192.168.56.102:49169 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49180 -> 34.80.190.141:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49180 -> 34.80.190.141:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49180 -> 34.80.190.141:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 99.83.154.118:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 99.83.154.118:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 99.83.154.118:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49183 162.125.84.18:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=San Francisco, O=Dropbox, Inc, CN=*.dropbox.com	3b:3c:24:9c:f2:3f:43:52:f1:1b:a4:f7:5d:18:a7:34:23:49:8f:7a
TLSv1 192.168.56.102:49182 172.217.26.14:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google.com	8f:b6:6e:35:48:00:39:39:d4:59:1a:58:7b:b6:38:5a:92:b0:b6:9f
TLSv1 192.168.56.102:49185 104.19.185.120:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.000webhost.com	89:ac:2f:41:6f:58:00:a2:08:f3:6f:fd:5a:5e:15:8c:39:20:d8:99

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Sept. 2, 2021, 9:15 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 2, 2021, 9:14 a.m.			0	0
IsDebuggerPresent Sept. 2, 2021, 9:14 a.m.			0	0
IsDebuggerPresent Sept. 2, 2021, 9:15 a.m.			0	0
IsDebuggerPresent Sept. 2, 2021, 9:15 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 2, 2021, 9:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006255a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 2, 2021, 9:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006257a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 2, 2021, 9:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006257a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 2, 2021, 9:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00764b30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 2, 2021, 9:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00764a30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 2, 2021, 9:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00764a30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 2, 2021, 9:14 a.m.		1	1	0

One or more processes crashed (5 events)

Time & API	Arguments	Status
__exception__ Sept. 2, 2021, 9:15 a.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x72f71194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72e42ba1 0x66260b 0x660e87 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72dc2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72dd264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x72de9df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x72de9e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x72de9efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x72de9fa2 DllGetClassObjectInternal+0x8bed4 CorDllMainForThunk-0x627 clr+0x150f4d @ 0x72f10f4d DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x72ddbcd5 DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x72dc2ae9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72dc2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72dd264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72e41838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72e41737 mscorlib+0x2d3711 @ 0x720d3711 mscorlib+0x308f2d @ 0x72108f2d mscorlib+0x2cb060 @ 0x720cb060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72dc2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72dd264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72e41838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72e41737 mscorlib+0x2d36ad @ 0x720d36ad mscorlib+0x308f2d @ 0x72108f2d microsoft+0x50c17 @ 0x6fbd0c17 microsoft+0x3f05f @ 0x6fbbf05f microsoft+0x3e4d4 @ 0x6fbbe4d4 microsoft+0x3cda4 @ 0x6fbbcda4 0x5c9f84 0x5c9cc8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72dc2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72dd264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72e41838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72e41737 mscorlib+0x305edf @ 0x72105edf mscorlib+0x2e9e1b @ 0x720e9e1b mscorlib+0x2e99c1 @ 0x720e99c1 mscorlib+0x2de184 @ 0x720de184 0x5c9b9d 0x5c9949 0x5c629e 0x5c564c 0x5c5482 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72dc2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72dd264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72dd2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72e874ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72e87610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f11dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f11e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f11f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f1416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7408f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73467f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73464de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 3789836 registers.edi: 0 registers.eax: 3789836 registers.ebp: 3789916 registers.edx: 3 registers.ebx: 7625496 registers.esi: 7277984 registers.ecx: 4046590715	1
__exception__ Sept. 2, 2021, 9:15 a.m.	stacktrace: synaptics+0x7bda4 @ 0x47bda4 synaptics+0x7bcf2 @ 0x47bcf2 synaptics+0x7bcb3 @ 0x47bcb3 synaptics+0x845fd @ 0x4845fd synaptics+0x959fc @ 0x4959fc BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 97253772 registers.edi: 97253960 registers.eax: 97253772 registers.ebp: 97253852 registers.edx: 0 registers.ebx: 4703484 registers.esi: 11001 registers.ecx: 7	1
__exception__ Sept. 2, 2021, 9:16 a.m.	stacktrace: synaptics+0x7bda4 @ 0x47bda4 synaptics+0x7bcf2 @ 0x47bcf2 synaptics+0x7bcb3 @ 0x47bcb3 synaptics+0x845fd @ 0x4845fd synaptics+0x95a83 @ 0x495a83 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 97251584 registers.edi: 97251772 registers.eax: 97251584 registers.ebp: 97251664 registers.edx: 0 registers.ebx: 4703484 registers.esi: 11004 registers.ecx: 7	1
__exception__ Sept. 2, 2021, 9:16 a.m.	stacktrace: synaptics+0x7bda4 @ 0x47bda4 synaptics+0x7bcf2 @ 0x47bcf2 synaptics+0x7bcb3 @ 0x47bcb3 synaptics+0x845fd @ 0x4845fd synaptics+0x95b0a @ 0x495b0a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 97249396 registers.edi: 97249584 registers.eax: 97249396 registers.ebp: 97249476 registers.edx: 0 registers.ebx: 4703484 registers.esi: 11001 registers.ecx: 7	1
__exception__ Sept. 2, 2021, 9:16 a.m.	stacktrace: synaptics+0x1e175 @ 0x41e175 synaptics+0x1e1c3 @ 0x41e1c3 synaptics+0x1e108 @ 0x41e108 synaptics+0x95115 @ 0x495115 synaptics+0x9528f @ 0x49528f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 102168920 registers.edi: 0 registers.eax: 102168920 registers.ebp: 102169000 registers.edx: 0 registers.ebx: 12672892 registers.esi: 0 registers.ecx: 7	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (6 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.livingalcohol.com/b0ar/?r6=32cJvtm6v5CrHkGtRaCKvnIzMPMaS8klC7QMWGugGRjVzPiNEaTJc2oUIDqYaKdywZUrkA7f&sBZxr2=FxopsJeXPvOX3
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.artjohntravis.com/b0ar/?r6=FI6V3ciXB53f+evAnSijLVseR7Fj9SHqs11tijwh7SEaqCYqOPT9yA6Mp0JLeXWl2GeMTJcV&sBZxr2=FxopsJeXPvOX3
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.thepink.club/b0ar/?r6=35zmK/1nOG3ZiclOaRDNqBcycOB07sOwoO1SOSl9YfrEiskurZgjdyrE07vb97UKsZwkKKa4&sBZxr2=FxopsJeXPvOX3
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.mcinerneychrysler.com/b0ar/?r6=oBVrEuqKUfopUpAnqJfem3AP4MxLKUs3kUwU0NiQ7+oE8UvVtrvEXTcSUGgYTlPvZxyytEEp&sBZxr2=FxopsJeXPvOX3
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.vnielvmdqxk538.xyz/b0ar/?r6=7CUt39hPMjg/s6qQ0+QbWtikgyOufco6CG9l+t5DjC9/JIPCU/WxQ6IAIg/iVENqz91MlH14&sBZxr2=FxopsJeXPvOX3
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.algarmotorcars.com/b0ar/?r6=GBw5w5TP0zGw7Ui1KyuWLvjFNgn/VJyG24akOFBAUZbsXTnWiW1DuuZdfbFm7e75UOMWX9j4&sBZxr2=FxopsJeXPvOX3

Connects to a Dynamic DNS Domain (1 event)

domain

xred.mooo.com

Performs some HTTP requests (12 events)

request	GET http://www.livingalcohol.com/b0ar/?r6=32cJvtm6v5CrHkGtRaCKvnIzMPMaS8klC7QMWGugGRjVzPiNEaTJc2oUIDqYaKdywZUrkA7f&sBZxr2=FxopsJeXPvOX3
request	GET http://www.artjohntravis.com/b0ar/?r6=FI6V3ciXB53f+evAnSijLVseR7Fj9SHqs11tijwh7SEaqCYqOPT9yA6Mp0JLeXWl2GeMTJcV&sBZxr2=FxopsJeXPvOX3
request	GET http://www.thepink.club/b0ar/?r6=35zmK/1nOG3ZiclOaRDNqBcycOB07sOwoO1SOSl9YfrEiskurZgjdyrE07vb97UKsZwkKKa4&sBZxr2=FxopsJeXPvOX3
request	GET http://www.mcinerneychrysler.com/b0ar/?r6=oBVrEuqKUfopUpAnqJfem3AP4MxLKUs3kUwU0NiQ7+oE8UvVtrvEXTcSUGgYTlPvZxyytEEp&sBZxr2=FxopsJeXPvOX3
request	GET http://www.vnielvmdqxk538.xyz/b0ar/?r6=7CUt39hPMjg/s6qQ0+QbWtikgyOufco6CG9l+t5DjC9/JIPCU/WxQ6IAIg/iVENqz91MlH14&sBZxr2=FxopsJeXPvOX3
request	GET http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
request	GET http://www.algarmotorcars.com/b0ar/?r6=GBw5w5TP0zGw7Ui1KyuWLvjFNgn/VJyG24akOFBAUZbsXTnWiW1DuuZdfbFm7e75UOMWX9j4&sBZxr2=FxopsJeXPvOX3
request	GET http://xred.site50.net/syn/SSLLibrary.dll
request	GET https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
request	GET https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
request	GET https://www.dropbox.com/s/dl/fzj752whr3ontsm/SSLLibrary.dll
request	GET https://www.000webhost.com/migrate?static=true

Allocates read-write-execute memory (usually to unpack itself) (50 out of 100 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2500 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2500 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02090000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00572000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00780000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00781000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00782000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00783000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00784000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00785000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2500 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00786000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70692000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00596000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00788000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00789000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2500 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef48000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2500 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:14 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:15 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0078a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:15 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:15 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0078b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:15 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0078c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:15 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0078d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:15 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0078e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:15 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0078f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:15 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00840000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:15 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00841000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:15 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00842000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:15 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00843000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:15 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00844000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:15 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00845000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:15 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00846000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:15 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00847000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:15 a.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2021, 9:15 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 2, 2021, 9:15 a.m.	process_identifier: 1784 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00950000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Downloads a file or document from Google Drive (1 event)

domain

docs.google.com

Creates executable files on the filesystem (3 events)

file	C:\ProgramData\Synaptics\Synaptics.dll
file	C:\Users\test22\AppData\Local\Temp\._cache_Synaptics.exe
file	C:\Users\test22\AppData\Local\Temp\._cache_templefirstzx.exe

Resolves Free Hosting Domain, Possibly Malicious (1 event)

domain

xred.site50.net

Looks up the Dropbox cloud service (1 event)

domain

www.dropbox.com

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\._cache_Synaptics.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\._cache_Synaptics.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00113400', u'virtual_address': u'0x00002000', u'entropy': 7.959614155636252, u'name': u'.text', u'virtual_size': u'0x001132f4'}

entropy

7.95961415564

description

A section with a high entropy has been found

entropy

0.998186763373

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Sept. 2, 2021, 9:15 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 2, 2021, 9:15 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 2, 2021, 9:15 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 2, 2021, 9:15 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Potentially malicious URLs were found in the process memory dump (10 events)

url	https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
url	http://freedns.afraid.org/api/?action=getdyndns
url	https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
url	http://xred.site50.net/syn/SSLLibrary.dll
url	https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ
url	https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk
url	http://xred.site50.net/syn/SUpdate.ini
url	https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
url	https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk
url	http://xred.site50.net/syn/Synaptics.rar

Yara rule detected in process memory (38 events)

description	Communications over SSL	rule	Network_SSL
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications smtp	rule	network_smtp_raw
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Take ScreenShot	rule	ScreenShot
description	Communications DynDns network	rule	Network_DynDns
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over SSL	rule	Network_SSL
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications smtp	rule	network_smtp_raw
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Take ScreenShot	rule	ScreenShot
description	Communications DynDns network	rule	Network_DynDns
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Install itself for autorun at Windows startup	rule	Persistence

Terminates another process (4 events)

Time & API	Arguments	Status
NtTerminateProcess Sept. 2, 2021, 9:15 a.m.	status_code: 0xffffffff process_identifier: 928 process_handle: 0x000002c4
NtTerminateProcess Sept. 2, 2021, 9:15 a.m.	status_code: 0xffffffff process_identifier: 928 process_handle: 0x000002c4	1
NtTerminateProcess Sept. 2, 2021, 9:15 a.m.	status_code: 0xffffffff process_identifier: 200 process_handle: 0x000002d0
NtTerminateProcess Sept. 2, 2021, 9:15 a.m.	status_code: 0xffffffff process_identifier: 200 process_handle: 0x000002d0	1

Allocates execute permission to another process indicative of possible code injection (4 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Sept. 2, 2021, 9:15 a.m.	process_identifier: 928 region_size: 958464 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002c0		3221225496
NtAllocateVirtualMemory Sept. 2, 2021, 9:15 a.m.	process_identifier: 2200 region_size: 958464 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002cc	1	0
NtAllocateVirtualMemory Sept. 2, 2021, 9:15 a.m.	process_identifier: 200 region_size: 958464 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002cc		3221225496
NtAllocateVirtualMemory Sept. 2, 2021, 9:15 a.m.	process_identifier: 900 region_size: 958464 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002e0	1	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver

reg_value

C:\ProgramData\Synaptics\Synaptics.exe

Manipulates memory of a non-child process indicative of process injection (4 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 2500 manipulating memory of non-child process 928
Process injection	Process 240 manipulating memory of non-child process 200
NtAllocateVirtualMemory Sept. 2, 2021, 9:15 a.m.	process_identifier: 928 region_size: 958464 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002c0	3221225496	0
NtAllocateVirtualMemory Sept. 2, 2021, 9:15 a.m.	process_identifier: 200 region_size: 958464 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002cc	3221225496	0

Potential code injection by writing to the memory of another process (6 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Sept. 2, 2021, 9:15 a.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^Bà ¢« ° @ @ B0P ©@ !@ CODEì `DATAT.° 0 @ÀBSSåà Ð À.idataB* ,Ð @À.tls0 ü À.rdata9@ ü @P.reloc©P ªþ @P.rsrc0¨ @P¶@P base_address: 0x00400000 process_identifier: 2200 process_handle: 0x000002cc	1	1
WriteProcessMemory Sept. 2, 2021, 9:15 a.m.	buffer: 0J0JÄ°I@JSynaptics Pointing Device Driver base_address: 0x004a4000 process_identifier: 2200 process_handle: 0x000002cc	1	1
WriteProcessMemory Sept. 2, 2021, 9:15 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2200 process_handle: 0x000002cc	1	1
WriteProcessMemory Sept. 2, 2021, 9:15 a.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^Bà ¢« ° @ @ B0P ©@ !@ CODEì `DATAT.° 0 @ÀBSSåà Ð À.idataB* ,Ð @À.tls0 ü À.rdata9@ ü @P.reloc©P ªþ @P.rsrc0¨ @P¶@P base_address: 0x00400000 process_identifier: 900 process_handle: 0x000002e0	1	1
WriteProcessMemory Sept. 2, 2021, 9:15 a.m.	buffer: 0J0JÄ°I@JSynaptics Pointing Device Driver base_address: 0x004a4000 process_identifier: 900 process_handle: 0x000002e0	1	1
WriteProcessMemory Sept. 2, 2021, 9:15 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 900 process_handle: 0x000002e0	1	1

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 2, 2021, 9:15 a.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^Bà ¢« ° @ @ B0P ©@ !@ CODEì `DATAT.° 0 @ÀBSSåà Ð À.idataB* ,Ð @À.tls0 ü À.rdata9@ ü @P.reloc©P ªþ @P.rsrc0¨ @P¶@P base_address: 0x00400000 process_identifier: 2200 process_handle: 0x000002cc	1	1	0
WriteProcessMemory Sept. 2, 2021, 9:15 a.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^Bà ¢« ° @ @ B0P ©@ !@ CODEì `DATAT.° 0 @ÀBSSåà Ð À.idataB* ,Ð @À.tls0 ü À.rdata9@ ü @P.reloc©P ªþ @P.rsrc0¨ @P¶@P base_address: 0x00400000 process_identifier: 900 process_handle: 0x000002e0	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA Sept. 2, 2021, 9:15 a.m.	thread_identifier: 0 callback_function: 0x03823540 hook_identifier: 2 (WH_KEYBOARD) module_address: 0x03820000	1	2097789	0

Network activity contains more than one unique useragent (2 events)

process	Synaptics.exe				useragent	MyApp
process	Synaptics.exe				useragent	Synaptics.exe

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2500 called NtSetContextThread to modify thread in remote process 2200
Process injection	Process 240 called NtSetContextThread to modify thread in remote process 900
NtSetContextThread Sept. 2, 2021, 9:15 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4828032 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002c4 process_identifier: 2200	1	0	0
NtSetContextThread Sept. 2, 2021, 9:15 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4828032 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002d0 process_identifier: 900	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2500 resumed a thread in remote process 2200
Process injection	Process 240 resumed a thread in remote process 900
NtResumeThread Sept. 2, 2021, 9:15 a.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 2200	1	0	0
NtResumeThread Sept. 2, 2021, 9:15 a.m.	thread_handle: 0x000002d0 suspend_count: 1 process_identifier: 900	1	0	0

Generates some ICMP traffic

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.6c0795e7a1460e3e
McAfee	Artemis!6C0795E7A146
Sangfor	Suspicious.Win32.Save.a
Cybereason	malicious.5c3d10
Cyren	W32/MSIL_Troj.BKR.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/GenKryptik.FJWB
APEX	Malicious
Kaspersky	HEUR:Trojan.MSIL.Taskun.gen
Avast	Win32:PWSX-gen [Trj]
McAfee-GW-Edition	BehavesLike.Win32.Generic.tc
Sophos	ML/PE-A
SentinelOne	Static AI - Malicious PE
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
AhnLab-V3	Trojan/Win.MSILKrypt.R439738
VBA32	CIL.HeapOverride.Heur
Malwarebytes	MachineLearning/Anomalous.97%
Fortinet	MSIL/GenKryptik.FJWB!tr
BitDefenderTheta	Gen:NN.ZemsilF.34126.en0@aeu!Gf
AVG	Win32:PWSX-gen [Trj]
CrowdStrike	win/malicious_confidence_80% (D)
MaxSecure	Trojan.Malware.300983.susgen

Executed a process and injected code into it, probably while unpacking (50 out of 56 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 2, 2021, 9:14 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2500	1	0
NtResumeThread Sept. 2, 2021, 9:14 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2500	1	0
NtResumeThread Sept. 2, 2021, 9:14 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2500	1	0
NtResumeThread Sept. 2, 2021, 9:14 a.m.	thread_handle: 0x00000204 suspend_count: 1 process_identifier: 2500	1	0
NtGetContextThread Sept. 2, 2021, 9:14 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Sept. 2, 2021, 9:14 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Sept. 2, 2021, 9:14 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2500	1	0
NtResumeThread Sept. 2, 2021, 9:15 a.m.	thread_handle: 0x000002b4 suspend_count: 1 process_identifier: 2500	1	0
CreateProcessInternalW Sept. 2, 2021, 9:15 a.m.	thread_identifier: 688 thread_handle: 0x000002bc process_identifier: 928 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\templefirstzx.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\templefirstzx.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002c0	1	1
NtGetContextThread Sept. 2, 2021, 9:15 a.m.	thread_handle: 0x000002bc	1	0
NtAllocateVirtualMemory Sept. 2, 2021, 9:15 a.m.	process_identifier: 928 region_size: 958464 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002c0		3221225496
CreateProcessInternalW Sept. 2, 2021, 9:15 a.m.	thread_identifier: 2308 thread_handle: 0x000002c4 process_identifier: 2200 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\templefirstzx.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\templefirstzx.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002cc	1	1
NtGetContextThread Sept. 2, 2021, 9:15 a.m.	thread_handle: 0x000002c4	1	0
NtAllocateVirtualMemory Sept. 2, 2021, 9:15 a.m.	process_identifier: 2200 region_size: 958464 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002cc	1	0
WriteProcessMemory Sept. 2, 2021, 9:15 a.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^Bà ¢« ° @ @ B0P ©@ !@ CODEì `DATAT.° 0 @ÀBSSåà Ð À.idataB* ,Ð @À.tls0 ü À.rdata9@ ü @P.reloc©P ªþ @P.rsrc0¨ @P¶@P base_address: 0x00400000 process_identifier: 2200 process_handle: 0x000002cc	1	1
WriteProcessMemory Sept. 2, 2021, 9:15 a.m.	buffer: base_address: 0x00401000 process_identifier: 2200 process_handle: 0x000002cc	1	1
WriteProcessMemory Sept. 2, 2021, 9:15 a.m.	buffer: base_address: 0x0049b000 process_identifier: 2200 process_handle: 0x000002cc	1	1
WriteProcessMemory Sept. 2, 2021, 9:15 a.m.	buffer: base_address: 0x004a0000 process_identifier: 2200 process_handle: 0x000002cc	1	1
WriteProcessMemory Sept. 2, 2021, 9:15 a.m.	buffer: 0J0JÄ°I@JSynaptics Pointing Device Driver base_address: 0x004a4000 process_identifier: 2200 process_handle: 0x000002cc	1	1
WriteProcessMemory Sept. 2, 2021, 9:15 a.m.	buffer: base_address: 0x004a5000 process_identifier: 2200 process_handle: 0x000002cc	1	1
WriteProcessMemory Sept. 2, 2021, 9:15 a.m.	buffer: base_address: 0x004b0000 process_identifier: 2200 process_handle: 0x000002cc	1	1
WriteProcessMemory Sept. 2, 2021, 9:15 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2200 process_handle: 0x000002cc	1	1
NtSetContextThread Sept. 2, 2021, 9:15 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4828032 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002c4 process_identifier: 2200	1	0
NtResumeThread Sept. 2, 2021, 9:15 a.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 2200	1	0
NtResumeThread Sept. 2, 2021, 9:15 a.m.	thread_handle: 0x00000160 suspend_count: 1 process_identifier: 2200	1	0
CreateProcessInternalW Sept. 2, 2021, 9:15 a.m.	thread_identifier: 1624 thread_handle: 0x00000448 process_identifier: 1784 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\._cache_templefirstzx.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\._cache_templefirstzx.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\._cache_templefirstzx.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000440	1	1
CreateProcessInternalW Sept. 2, 2021, 9:15 a.m.	thread_identifier: 424 thread_handle: 0x00000448 process_identifier: 240 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\ProgramData\Synaptics\Synaptics.exe track: 1 command_line: "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate filepath_r: C:\ProgramData\Synaptics\Synaptics.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000398	1	1
NtResumeThread Sept. 2, 2021, 9:15 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 240	1	0
NtResumeThread Sept. 2, 2021, 9:15 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 240	1	0
NtResumeThread Sept. 2, 2021, 9:15 a.m.	thread_handle: 0x000001c0 suspend_count: 1 process_identifier: 240	1	0
NtResumeThread Sept. 2, 2021, 9:15 a.m.	thread_handle: 0x000001dc suspend_count: 1 process_identifier: 240	1	0
NtResumeThread Sept. 2, 2021, 9:15 a.m.	thread_handle: 0x000002c0 suspend_count: 1 process_identifier: 240	1	0
NtGetContextThread Sept. 2, 2021, 9:15 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Sept. 2, 2021, 9:15 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Sept. 2, 2021, 9:15 a.m.	thread_handle: 0x000000e0	1	0
NtSetContextThread Sept. 2, 2021, 9:15 a.m.	registers.eip: 1927555972 registers.esp: 3790044 registers.edi: 3790080 registers.eax: 18761803 registers.ebp: 3790104 registers.edx: 1 registers.ebx: 3790528 registers.esi: 89052896 registers.ecx: 12 thread_handle: 0x000000e0 process_identifier: 240	1	0
NtResumeThread Sept. 2, 2021, 9:15 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 240	1	0
CreateProcessInternalW Sept. 2, 2021, 9:15 a.m.	thread_identifier: 156 thread_handle: 0x000002c8 process_identifier: 200 current_directory: filepath: C:\ProgramData\Synaptics\Synaptics.exe track: 1 command_line: filepath_r: C:\ProgramData\Synaptics\Synaptics.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002cc	1	1
NtGetContextThread Sept. 2, 2021, 9:15 a.m.	thread_handle: 0x000002c8	1	0
NtAllocateVirtualMemory Sept. 2, 2021, 9:15 a.m.	process_identifier: 200 region_size: 958464 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002cc		3221225496
CreateProcessInternalW Sept. 2, 2021, 9:15 a.m.	thread_identifier: 904 thread_handle: 0x000002d0 process_identifier: 900 current_directory: filepath: C:\ProgramData\Synaptics\Synaptics.exe track: 1 command_line: filepath_r: C:\ProgramData\Synaptics\Synaptics.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002e0	1	1
NtGetContextThread Sept. 2, 2021, 9:15 a.m.	thread_handle: 0x000002d0	1	0
NtAllocateVirtualMemory Sept. 2, 2021, 9:15 a.m.	process_identifier: 900 region_size: 958464 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002e0	1	0
WriteProcessMemory Sept. 2, 2021, 9:15 a.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^Bà ¢« ° @ @ B0P ©@ !@ CODEì `DATAT.° 0 @ÀBSSåà Ð À.idataB* ,Ð @À.tls0 ü À.rdata9@ ü @P.reloc©P ªþ @P.rsrc0¨ @P¶@P base_address: 0x00400000 process_identifier: 900 process_handle: 0x000002e0	1	1
WriteProcessMemory Sept. 2, 2021, 9:15 a.m.	buffer: base_address: 0x00401000 process_identifier: 900 process_handle: 0x000002e0	1	1
WriteProcessMemory Sept. 2, 2021, 9:15 a.m.	buffer: base_address: 0x0049b000 process_identifier: 900 process_handle: 0x000002e0	1	1
WriteProcessMemory Sept. 2, 2021, 9:15 a.m.	buffer: base_address: 0x004a0000 process_identifier: 900 process_handle: 0x000002e0	1	1
WriteProcessMemory Sept. 2, 2021, 9:15 a.m.	buffer: 0J0JÄ°I@JSynaptics Pointing Device Driver base_address: 0x004a4000 process_identifier: 900 process_handle: 0x000002e0	1	1
WriteProcessMemory Sept. 2, 2021, 9:15 a.m.	buffer: base_address: 0x004a5000 process_identifier: 900 process_handle: 0x000002e0	1	1
WriteProcessMemory Sept. 2, 2021, 9:15 a.m.	buffer: base_address: 0x004b0000 process_identifier: 900 process_handle: 0x000002e0	1	1

templefirstzx.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All