Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 28, 2021, 3:55 p.m.	Sept. 28, 2021, 4:21 p.m.

Size	378.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`51195e0d79dacd68acd8b5bcbc356ab1`
SHA256	`129d230573fdb00a681a7f0c507bc16d2efcd08c4408f544f1d7653162b2cd92`
CRC32	`3BD74DCE`
ssdeep	`768:iE50n4yxVoVPS5jGAkq1IB99EXlTwYq0CrCmrmo/w6q5qw74J8:iToVPiGAkOI+hwYk2`
PDB Path	c:\Users\Administrator\AppData\Local\Temp\2\CTJNw.pdb
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description)

jol.exe "C:\Users\test22\AppData\Local\Temp\jol.exe"
732
- jol.exe "C:\Users\test22\AppData\Local\Temp\jol.exe"
  584

Name	Response	Post-Analysis Lookup
www.localagentlab.com	CNAME localagentlab.com A 34.102.136.180	34.102.136.180
www.miyonbuilding.com
www.georges-lego.com	A 192.0.78.25 A 192.0.78.24 CNAME georges-lego.com	192.0.78.24
www.jmrrve.com	A 172.67.152.136 A 104.21.2.49	104.21.2.49
www.thehauntdepot.com
www.krveop.com	A 104.21.49.26 A 172.67.158.14	172.67.158.14
www.lkkogltoyof4.xyz	A 150.95.255.38	150.95.255.38
www.reemletenleafy.com
www.babybox.media
www.car-insurance-rates-x2.info	CNAME car-insurance-rates-x2.info A 66.29.132.69	66.29.132.69
www.dubaibiologicdentist.com	A 198.54.117.218 A 198.54.117.216 A 198.54.117.217 CNAME parkingpage.namecheap.com A 198.54.117.215 A 198.54.117.212 A 198.54.117.210 A 198.54.117.211	198.54.117.210
www.wenyuexuan.com
www.brandqrcodes.com	A 99.86.207.117 A 99.86.207.38 A 99.86.207.26 A 99.86.207.37	99.86.207.38
www.livinglovinglincoln.com	CNAME livinglovinglincoln.com A 34.102.136.180	34.102.136.180
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.135.233

IP Address	Status	Action
104.21.2.49	Active	Moloch
104.21.49.26	Active	Moloch
150.95.255.38	Active	Moloch
162.159.134.233	Active	Moloch
164.124.101.2	Active	Moloch
192.0.78.24	Active	Moloch
198.54.117.211	Active	Moloch
31.210.20.22	Active	Moloch
34.102.136.180	Active	Moloch
66.29.132.69	Active	Moloch
99.86.207.37	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49198 -> 31.210.20.22:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.101:49198 -> 31.210.20.22:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 31.210.20.22:80 -> 192.168.56.101:49198	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 31.210.20.22:80 -> 192.168.56.101:49198	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 31.210.20.22:80 -> 192.168.56.101:49198	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49201 -> 162.159.134.233:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49214 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 104.21.49.26:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 104.21.49.26:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 104.21.49.26:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49218 -> 104.21.2.49:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49218 -> 104.21.2.49:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49218 -> 104.21.2.49:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49220 -> 150.95.255.38:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49220 -> 150.95.255.38:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49220 -> 150.95.255.38:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49220 -> 150.95.255.38:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.101:49208 -> 66.29.132.69:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 66.29.132.69:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 66.29.132.69:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 192.0.78.24:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 192.0.78.24:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 192.0.78.24:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49222 -> 198.54.117.211:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49222 -> 198.54.117.211:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49222 -> 198.54.117.211:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 99.86.207.37:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 99.86.207.37:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 99.86.207.37:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49201 162.159.134.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	54:e1:a7:9d:cc:c8:60:86:f1:a5:da:74:0e:5a:ab:45:df:37:8a:78

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Sept. 28, 2021, 3:56 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Sept. 28, 2021, 3:56 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 28, 2021, 3:55 p.m.			0	0
IsDebuggerPresent Sept. 28, 2021, 3:55 p.m.			0	0
IsDebuggerPresent Sept. 28, 2021, 3:56 p.m.			0	0
IsDebuggerPresent Sept. 28, 2021, 3:56 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

c:\Users\Administrator\AppData\Local\Temp\2\CTJNw.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 28, 2021, 3:55 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (10 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://31.210.20.22/xxm/hak.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.livinglovinglincoln.com/mjyv/?jL04lH=v6+mrmhO2D69c29A/GgIjudjrVDrCDx9nnSs75EQfHkZ3AKYNDn6ZLLROHAwtRRZFNrkSLmU&w0G=mfZ8ixbxe8Q4
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.car-insurance-rates-x2.info/mjyv/?jL04lH=JsVmDLitPD5sN21NuRjxCxYGWX6Zun1yL1UzMyeyoC0PN1VTm+kRrJp4mrpqyvRLfa8C5kJ3&w0G=mfZ8ixbxe8Q4
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.georges-lego.com/mjyv/?jL04lH=IZUq8fC9aIDt6XI/MpfblzTmEBhmcMRnvlVpbIF889hbhAnbHw7SbsJeBBLvviP4WChYzMnM&w0G=mfZ8ixbxe8Q4
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.brandqrcodes.com/mjyv/?jL04lH=UrRdFqIHIOT9TTwqrgiD5IQ8ICq4EZmeq8Qf7hTdESXU5u+H11XJP7uPtyUjrGxObxoE2Pl7&w0G=mfZ8ixbxe8Q4
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.localagentlab.com/mjyv/?jL04lH=MgSBGe4UfRsxE+vcY6lCnzsJdaRn2Tt2te4kufH0BbtC9PnAxa6ttLLgFfm6oaBPxXTKCyZA&w0G=mfZ8ixbxe8Q4
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.krveop.com/mjyv/?jL04lH=HyN26CoozcigRUDs6U0prJ5eBZfzn97g/8B9IGyhoA6SSk6Sl3gieBOJFuTEwLYMjZXl5Kk/&w0G=mfZ8ixbxe8Q4
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.jmrrve.com/mjyv/?jL04lH=MugnLanDZ3SAjzNGVYbYT4Dv9bUq7VTPAUXZDjWlHe9ioe8xswTkcd0N7hIbRG1/aAPOZqOJ&w0G=mfZ8ixbxe8Q4
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.lkkogltoyof4.xyz/mjyv/?jL04lH=EAnvUfdnxtXwjiMmXogoEpuHKt07Q8tnkdGiEhG/REbOr3I/vzDeldegz5vqjtC9vgo6Xl7J&w0G=mfZ8ixbxe8Q4
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.dubaibiologicdentist.com/mjyv/?jL04lH=BKHfsn/GYCC1h//vT8riYCukHI0Zyw57gwlmm1nTEYp+2eyN1NLV8AZGtmaXrDVZIiSg94F5&w0G=mfZ8ixbxe8Q4

Performs some HTTP requests (20 events)

request	GET http://31.210.20.22/xxm/hak.exe
request	POST http://www.livinglovinglincoln.com/mjyv/
request	GET http://www.livinglovinglincoln.com/mjyv/?jL04lH=v6+mrmhO2D69c29A/GgIjudjrVDrCDx9nnSs75EQfHkZ3AKYNDn6ZLLROHAwtRRZFNrkSLmU&w0G=mfZ8ixbxe8Q4
request	POST http://www.car-insurance-rates-x2.info/mjyv/
request	GET http://www.car-insurance-rates-x2.info/mjyv/?jL04lH=JsVmDLitPD5sN21NuRjxCxYGWX6Zun1yL1UzMyeyoC0PN1VTm+kRrJp4mrpqyvRLfa8C5kJ3&w0G=mfZ8ixbxe8Q4
request	POST http://www.georges-lego.com/mjyv/
request	GET http://www.georges-lego.com/mjyv/?jL04lH=IZUq8fC9aIDt6XI/MpfblzTmEBhmcMRnvlVpbIF889hbhAnbHw7SbsJeBBLvviP4WChYzMnM&w0G=mfZ8ixbxe8Q4
request	POST http://www.brandqrcodes.com/mjyv/
request	GET http://www.brandqrcodes.com/mjyv/?jL04lH=UrRdFqIHIOT9TTwqrgiD5IQ8ICq4EZmeq8Qf7hTdESXU5u+H11XJP7uPtyUjrGxObxoE2Pl7&w0G=mfZ8ixbxe8Q4
request	POST http://www.localagentlab.com/mjyv/
request	GET http://www.localagentlab.com/mjyv/?jL04lH=MgSBGe4UfRsxE+vcY6lCnzsJdaRn2Tt2te4kufH0BbtC9PnAxa6ttLLgFfm6oaBPxXTKCyZA&w0G=mfZ8ixbxe8Q4
request	POST http://www.krveop.com/mjyv/
request	GET http://www.krveop.com/mjyv/?jL04lH=HyN26CoozcigRUDs6U0prJ5eBZfzn97g/8B9IGyhoA6SSk6Sl3gieBOJFuTEwLYMjZXl5Kk/&w0G=mfZ8ixbxe8Q4
request	POST http://www.jmrrve.com/mjyv/
request	GET http://www.jmrrve.com/mjyv/?jL04lH=MugnLanDZ3SAjzNGVYbYT4Dv9bUq7VTPAUXZDjWlHe9ioe8xswTkcd0N7hIbRG1/aAPOZqOJ&w0G=mfZ8ixbxe8Q4
request	POST http://www.lkkogltoyof4.xyz/mjyv/
request	GET http://www.lkkogltoyof4.xyz/mjyv/?jL04lH=EAnvUfdnxtXwjiMmXogoEpuHKt07Q8tnkdGiEhG/REbOr3I/vzDeldegz5vqjtC9vgo6Xl7J&w0G=mfZ8ixbxe8Q4
request	POST http://www.dubaibiologicdentist.com/mjyv/
request	GET http://www.dubaibiologicdentist.com/mjyv/?jL04lH=BKHfsn/GYCC1h//vT8riYCukHI0Zyw57gwlmm1nTEYp+2eyN1NLV8AZGtmaXrDVZIiSg94F5&w0G=mfZ8ixbxe8Q4
request	GET https://cdn.discordapp.com/attachments/888348114673598475/890866414997635092/TNG.dll

Sends data using the HTTP POST Method (9 events)

request	POST http://www.livinglovinglincoln.com/mjyv/
request	POST http://www.car-insurance-rates-x2.info/mjyv/
request	POST http://www.georges-lego.com/mjyv/
request	POST http://www.brandqrcodes.com/mjyv/
request	POST http://www.localagentlab.com/mjyv/
request	POST http://www.krveop.com/mjyv/
request	POST http://www.jmrrve.com/mjyv/
request	POST http://www.lkkogltoyof4.xyz/mjyv/
request	POST http://www.dubaibiologicdentist.com/mjyv/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 54 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00830000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01eb0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02050000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00425000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00427000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00416000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00510000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00417000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 6656 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d10400 process_handle: 0xffffffff		3221225550
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00511000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00512000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00513000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00514000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00515000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00516000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00517000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00518000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00519000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05230000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05231000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05232000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05233000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05234000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05235000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05236000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05237000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05238000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05239000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0523a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0523b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0523c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0523d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0523e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0523f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 28, 2021, 3:55 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 28, 2021, 3:56 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Sept. 28, 2021, 3:56 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

31.210.20.22

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 584 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000005e8	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 28, 2021, 3:56 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELÓ@«Tà \|`Ô@@.text\|{\| ` base_address: 0x00400000 process_identifier: 584 process_handle: 0x000005e8	1	1	0
WriteProcessMemory Sept. 28, 2021, 3:56 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 584 process_handle: 0x000005e8	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 28, 2021, 3:56 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELÓ@«Tà \|`Ô@@.text\|{\| ` base_address: 0x00400000 process_identifier: 584 process_handle: 0x000005e8	1	1	0

File has been identified by 14 AntiVirus engines on VirusTotal as malicious (14 events)

FireEye	Generic.mg.51195e0d79dacd68
Cyren	W32/MSIL_Kryptik.EHH.gen!Eldorado
APEX	Malicious
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
Avast	FileRepMetagen [Malware]
McAfee-GW-Edition	Artemis
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
McAfee	Artemis!51195E0D79DA
Malwarebytes	Trojan.Downloader.MSIL.Generic
SentinelOne	Static AI - Malicious PE
Fortinet	MSIL/Tiny.BGM!tr.dldr
BitDefenderTheta	Gen:NN.ZemsilF.34170.xm0@aev4W0l
AVG	FileRepMetagen [Malware]
CrowdStrike	win/malicious_confidence_80% (W)

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 732 called NtSetContextThread to modify thread in remote process 584
NtSetContextThread Sept. 28, 2021, 3:56 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4314208 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000005e4 process_identifier: 584	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 732 resumed a thread in remote process 584
NtResumeThread Sept. 28, 2021, 3:56 p.m.	thread_handle: 0x000005e4 suspend_count: 1 process_identifier: 584	1	0	0

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (16 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 28, 2021, 3:55 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 732	1	0
NtResumeThread Sept. 28, 2021, 3:55 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 732	1	0
NtResumeThread Sept. 28, 2021, 3:55 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 732	1	0
NtResumeThread Sept. 28, 2021, 3:55 p.m.	thread_handle: 0x0000034c suspend_count: 1 process_identifier: 732	1	0
NtResumeThread Sept. 28, 2021, 3:56 p.m.	thread_handle: 0x000005d4 suspend_count: 1 process_identifier: 732	1	0
NtGetContextThread Sept. 28, 2021, 3:56 p.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Sept. 28, 2021, 3:56 p.m.	thread_handle: 0x000000e8	1	0
NtResumeThread Sept. 28, 2021, 3:56 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 732	1	0
CreateProcessInternalW Sept. 28, 2021, 3:56 p.m.	thread_identifier: 1396 thread_handle: 0x000005e4 process_identifier: 584 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\jol.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\jol.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\jol.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000005e8	1	1
NtGetContextThread Sept. 28, 2021, 3:56 p.m.	thread_handle: 0x000005e4	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:56 p.m.	process_identifier: 584 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000005e8	1	0
WriteProcessMemory Sept. 28, 2021, 3:56 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELÓ@«Tà \|`Ô@@.text\|{\| ` base_address: 0x00400000 process_identifier: 584 process_handle: 0x000005e8	1	1
WriteProcessMemory Sept. 28, 2021, 3:56 p.m.	buffer: base_address: 0x00401000 process_identifier: 584 process_handle: 0x000005e8	1	1
WriteProcessMemory Sept. 28, 2021, 3:56 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 584 process_handle: 0x000005e8	1	1
NtSetContextThread Sept. 28, 2021, 3:56 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4314208 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000005e4 process_identifier: 584	1	0
NtResumeThread Sept. 28, 2021, 3:56 p.m.	thread_handle: 0x000005e4 suspend_count: 1 process_identifier: 584	1	0

jol.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All