Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 1, 2021, 9:26 a.m.	Oct. 1, 2021, 9:39 a.m.

Size	597.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`e1be4d5a120b60f3e06225f7e8bbccd2`
SHA256	`1fae82dd43e0af0adf50dea57a3a609682ea8a604d67701448ab91d3193f4eb1`
CRC32	`11E8775A`
ssdeep	`6144:6v10RTfv3LlllInfVWnabNtibkMMgJKsUAzyIfZGN92g2LTalV9qLbJV:42n7llWnsaQkMaOffZE92g2LelV9`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description)

oii.exe "C:\Users\test22\AppData\Local\Temp\oii.exe"
1908
- oii.exe "C:\Users\test22\AppData\Local\Temp\oii.exe"
  2084

Name	Response	Post-Analysis Lookup
www.chilestew.com
www.productprinting.online	A 108.179.246.105 CNAME productprinting.online	108.179.246.105
www.car-insurance-rates-x2.info	CNAME car-insurance-rates-x2.info A 66.29.132.69	66.29.132.69
www.behiscalm.com	CNAME behiscalm.com A 34.102.136.180	34.102.136.180
www.mccorklehometeam.com	A 184.168.131.241 CNAME mccorklehometeam.com	184.168.131.241
www.calmingscience.com	A 172.67.215.123 A 104.21.51.3	172.67.215.123
www.p60p.com	A 104.167.94.227 CNAME p60p.com	104.167.94.227
www.dubaibiologicdentist.com	A 198.54.117.218 A 198.54.117.216 A 198.54.117.217 CNAME parkingpage.namecheap.com A 198.54.117.215 A 198.54.117.212 A 198.54.117.210 A 198.54.117.211	198.54.117.215
www.luvnecklace.com	CNAME HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com A 3.223.115.185	3.223.115.185
www.ziototoristorante.com	A 199.59.242.153	199.59.242.153
www.anielleharris.com	CNAME shops.myshopify.com A 23.227.38.74	23.227.38.74
www.simpeltattofor.men	A 103.224.182.210	103.224.182.210
www.mabduh.com	A 104.248.158.121 A 206.189.46.168	104.248.158.121
www.chinatowndeliver.com	CNAME chinatowndeliver.com A 34.102.136.180	34.102.136.180
www.healthylifefit.com	CNAME target.clickfunnels.com A 104.16.15.194 A 104.16.16.194 A 104.16.12.194 A 104.16.13.194 A 104.16.14.194	104.16.12.194

IP Address	Status	Action
103.224.182.210	Active	Moloch
104.16.13.194	Active	Moloch
104.167.94.227	Active	Moloch
104.21.51.3	Active	Moloch
104.248.158.121	Active	Moloch
108.179.246.105	Active	Moloch
164.124.101.2	Active	Moloch
184.168.131.241	Active	Moloch
198.54.117.215	Active	Moloch
199.59.242.153	Active	Moloch
23.227.38.74	Active	Moloch
3.223.115.185	Active	Moloch
34.102.136.180	Active	Moloch
66.29.132.69	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49206 -> 199.59.242.153:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 199.59.242.153:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 199.59.242.153:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 104.167.94.227:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 104.167.94.227:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 104.167.94.227:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49220 -> 23.227.38.74:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49220 -> 23.227.38.74:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49220 -> 23.227.38.74:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49226 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49226 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49226 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49224 -> 104.21.51.3:80	2221045	SURICATA HTTP Unexpected Request body	Generic Protocol Command Decode
TCP 192.168.56.101:49230 -> 104.16.13.194:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49230 -> 104.16.13.194:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49230 -> 104.16.13.194:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 103.224.182.210:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 103.224.182.210:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 104.248.158.121:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 103.224.182.210:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 104.248.158.121:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 104.248.158.121:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 108.179.246.105:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 108.179.246.105:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 108.179.246.105:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49222 -> 66.29.132.69:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49222 -> 66.29.132.69:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49222 -> 66.29.132.69:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49228 -> 184.168.131.241:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49228 -> 184.168.131.241:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49228 -> 184.168.131.241:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 3.223.115.185:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 3.223.115.185:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 3.223.115.185:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49218 -> 198.54.117.215:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49218 -> 198.54.117.215:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49218 -> 198.54.117.215:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (50 out of 239 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 1, 2021, 9:26 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 1, 2021, 9:26 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

GOOGLEUPDATEAPPLICATIONCOMMANDS

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (14 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.p60p.com/mjyv/?r6=Nc2ITi3hwuQIcyh1bMkL43y7/hZHkWWA0ujPuKcdOOsTZzLfHZK3SBjMOtbWV1AocZlKDKA1&CZ9=8pHxu0K
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.ziototoristorante.com/mjyv/?r6=BGF3MaDqcKXz2+ypQpBN49HcofQtIb5uumrf5yGZXgK71e6jsOADztt5ugiiGjAz+eZLHYvw&CZ9=8pHxu0K
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.mabduh.com/mjyv/?r6=46trCuKNqElCtXxdD3CcU/1zXCvbbh+innazVP0/Ec93daT9L2c67QrrBUNmDwq56qbHS8kb&CZ9=8pHxu0K
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.chinatowndeliver.com/mjyv/?r6=XUhyKAoNxujTTpq6c1lVw6UQrcGLXYJeNJQlydFnX5NrKnJZi3xXzQdWOhxeGOo0cSGE9W02&CZ9=8pHxu0K
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.luvnecklace.com/mjyv/?r6=d9nWK9gIaGH81JCj1TOn6Acpjx5yU8RNy3mdtKdpBGdfCLj/BDbaNBqHqAwZa6LVFNP/k/vR&CZ9=8pHxu0K
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.simpeltattofor.men/mjyv/?r6=YF19YjsW8YJ3UOve4Qb3KBW5CTiNCbLMIoRIqgRYw5C7pHv6F5Yv7+2MVeO4kquiRvNeMbg8&CZ9=8pHxu0K
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.productprinting.online/mjyv/?r6=dI0EVfu1T7SuYQVSFiskZOhLU8OYvItQe6UNnJ1ElFuaQLbdP5Uf2YRPyTd8+GYShGrxOpBk&CZ9=8pHxu0K
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.dubaibiologicdentist.com/mjyv/?r6=BKHfsn/GYCC1h//vT8riYCukHI0Zyw57gwlmm1nTEYp+2eyN1NLV8AZGtmaXrDVZIiSg94F5&CZ9=8pHxu0K
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.anielleharris.com/mjyv/?r6=Vdqln5Bga6RSx61h1Kvk7xYPJlO1KgLwQnK13iOT9vNjy68/mEc8j6E46zK0xbCAzSox5p/r&CZ9=8pHxu0K
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.car-insurance-rates-x2.info/mjyv/?r6=JsVmDLitPD5sN21NuRjxCxYGWX6Zun1yL1UzMyeyoC0PN1VTm+kRrJp4mrpqyvRLfa8C5kJ3&CZ9=8pHxu0K
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.calmingscience.com/mjyv/?r6=88UrMb6q8kEA6d0RMNJBQg7TjSnN5axFSt02V9alnUE8WVXARanhd7Zn9ZpbXjvnPJPP0laE&CZ9=8pHxu0K
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.behiscalm.com/mjyv/?r6=K9FJa1ryPTd/bsjfiuRfbodFPMpyTpIbchH43KPgl0gdBdpLbzvy0KNnzkM4/ITWWD0DdyPm&CZ9=8pHxu0K
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.mccorklehometeam.com/mjyv/?r6=R98Rpb+Ys7+0hNBLZTeJnFF4NkgkCgUAMyRYh/dXiy03XFnOcrWkZjimNn9sRbYS/za5FcC6&CZ9=8pHxu0K
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.healthylifefit.com/mjyv/?r6=wu4G29Df/3jk6rtufY07T1aH5SRRTSPupQ0Am8+JIxBphBMLoCuvIjFknaaw90h7xGBdC+KC&CZ9=8pHxu0K

Performs some HTTP requests (28 events)

request	POST http://www.p60p.com/mjyv/
request	GET http://www.p60p.com/mjyv/?r6=Nc2ITi3hwuQIcyh1bMkL43y7/hZHkWWA0ujPuKcdOOsTZzLfHZK3SBjMOtbWV1AocZlKDKA1&CZ9=8pHxu0K
request	POST http://www.ziototoristorante.com/mjyv/
request	GET http://www.ziototoristorante.com/mjyv/?r6=BGF3MaDqcKXz2+ypQpBN49HcofQtIb5uumrf5yGZXgK71e6jsOADztt5ugiiGjAz+eZLHYvw&CZ9=8pHxu0K
request	POST http://www.mabduh.com/mjyv/
request	GET http://www.mabduh.com/mjyv/?r6=46trCuKNqElCtXxdD3CcU/1zXCvbbh+innazVP0/Ec93daT9L2c67QrrBUNmDwq56qbHS8kb&CZ9=8pHxu0K
request	POST http://www.chinatowndeliver.com/mjyv/
request	GET http://www.chinatowndeliver.com/mjyv/?r6=XUhyKAoNxujTTpq6c1lVw6UQrcGLXYJeNJQlydFnX5NrKnJZi3xXzQdWOhxeGOo0cSGE9W02&CZ9=8pHxu0K
request	POST http://www.luvnecklace.com/mjyv/
request	GET http://www.luvnecklace.com/mjyv/?r6=d9nWK9gIaGH81JCj1TOn6Acpjx5yU8RNy3mdtKdpBGdfCLj/BDbaNBqHqAwZa6LVFNP/k/vR&CZ9=8pHxu0K
request	POST http://www.simpeltattofor.men/mjyv/
request	GET http://www.simpeltattofor.men/mjyv/?r6=YF19YjsW8YJ3UOve4Qb3KBW5CTiNCbLMIoRIqgRYw5C7pHv6F5Yv7+2MVeO4kquiRvNeMbg8&CZ9=8pHxu0K
request	POST http://www.productprinting.online/mjyv/
request	GET http://www.productprinting.online/mjyv/?r6=dI0EVfu1T7SuYQVSFiskZOhLU8OYvItQe6UNnJ1ElFuaQLbdP5Uf2YRPyTd8+GYShGrxOpBk&CZ9=8pHxu0K
request	POST http://www.dubaibiologicdentist.com/mjyv/
request	GET http://www.dubaibiologicdentist.com/mjyv/?r6=BKHfsn/GYCC1h//vT8riYCukHI0Zyw57gwlmm1nTEYp+2eyN1NLV8AZGtmaXrDVZIiSg94F5&CZ9=8pHxu0K
request	POST http://www.anielleharris.com/mjyv/
request	GET http://www.anielleharris.com/mjyv/?r6=Vdqln5Bga6RSx61h1Kvk7xYPJlO1KgLwQnK13iOT9vNjy68/mEc8j6E46zK0xbCAzSox5p/r&CZ9=8pHxu0K
request	POST http://www.car-insurance-rates-x2.info/mjyv/
request	GET http://www.car-insurance-rates-x2.info/mjyv/?r6=JsVmDLitPD5sN21NuRjxCxYGWX6Zun1yL1UzMyeyoC0PN1VTm+kRrJp4mrpqyvRLfa8C5kJ3&CZ9=8pHxu0K
request	POST http://www.calmingscience.com/mjyv/
request	GET http://www.calmingscience.com/mjyv/?r6=88UrMb6q8kEA6d0RMNJBQg7TjSnN5axFSt02V9alnUE8WVXARanhd7Zn9ZpbXjvnPJPP0laE&CZ9=8pHxu0K
request	POST http://www.behiscalm.com/mjyv/
request	GET http://www.behiscalm.com/mjyv/?r6=K9FJa1ryPTd/bsjfiuRfbodFPMpyTpIbchH43KPgl0gdBdpLbzvy0KNnzkM4/ITWWD0DdyPm&CZ9=8pHxu0K
request	POST http://www.mccorklehometeam.com/mjyv/
request	GET http://www.mccorklehometeam.com/mjyv/?r6=R98Rpb+Ys7+0hNBLZTeJnFF4NkgkCgUAMyRYh/dXiy03XFnOcrWkZjimNn9sRbYS/za5FcC6&CZ9=8pHxu0K
request	POST http://www.healthylifefit.com/mjyv/
request	GET http://www.healthylifefit.com/mjyv/?r6=wu4G29Df/3jk6rtufY07T1aH5SRRTSPupQ0Am8+JIxBphBMLoCuvIjFknaaw90h7xGBdC+KC&CZ9=8pHxu0K

Sends data using the HTTP POST Method (14 events)

request	POST http://www.p60p.com/mjyv/
request	POST http://www.ziototoristorante.com/mjyv/
request	POST http://www.mabduh.com/mjyv/
request	POST http://www.chinatowndeliver.com/mjyv/
request	POST http://www.luvnecklace.com/mjyv/
request	POST http://www.simpeltattofor.men/mjyv/
request	POST http://www.productprinting.online/mjyv/
request	POST http://www.dubaibiologicdentist.com/mjyv/
request	POST http://www.anielleharris.com/mjyv/
request	POST http://www.car-insurance-rates-x2.info/mjyv/
request	POST http://www.calmingscience.com/mjyv/
request	POST http://www.behiscalm.com/mjyv/
request	POST http://www.mccorklehometeam.com/mjyv/
request	POST http://www.healthylifefit.com/mjyv/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 55 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02030000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02190000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00462000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fc1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fc4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00497000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00495000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fc9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02120000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02121000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02127000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02130000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02131000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02137000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02100000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02101000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02106000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02110000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02111000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02116000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02140000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02141000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02146000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0214b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02150000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02151000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02156000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0215c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0068f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00680000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0215d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00486000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0215e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0215f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00681000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

oii.exe tried to sleep 237 seconds, actually delayed analysis time by 237 seconds

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 1, 2021, 9:26 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Oct. 1, 2021, 9:26 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 2084 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002e4	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 1, 2021, 9:26 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELÓ@«Tà \|`Ô@@.text\|{\| ` base_address: 0x00400000 process_identifier: 2084 process_handle: 0x000002e4	1	1	0
WriteProcessMemory Oct. 1, 2021, 9:26 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2084 process_handle: 0x000002e4	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 1, 2021, 9:26 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELÓ@«Tà \|`Ô@@.text\|{\| ` base_address: 0x00400000 process_identifier: 2084 process_handle: 0x000002e4	1	1	0

File has been identified by 15 AntiVirus engines on VirusTotal as malicious (15 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.e1be4d5a120b60f3
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_80% (D)
BitDefenderTheta	Gen:NN.ZemsilF.34170.Lm0@aS9jReki
ESET-NOD32	a variant of MSIL/Injector.VRI
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.Win32.Generic
SentinelOne	Static AI - Malicious PE
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	HEUR:Trojan.Win32.Generic
Malwarebytes	Trojan.Crypt.MSIL.Generic
Fortinet	MSIL/Agent.VRN!tr

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1908 called NtSetContextThread to modify thread in remote process 2084
NtSetContextThread Oct. 1, 2021, 9:26 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4314208 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002e0 process_identifier: 2084	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1908 resumed a thread in remote process 2084
NtResumeThread Oct. 1, 2021, 9:26 a.m.	thread_handle: 0x000002e0 suspend_count: 1 process_identifier: 2084	1	0	0

Executed a process and injected code into it, probably while unpacking (13 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 1, 2021, 9:26 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 1908	1	0
NtResumeThread Oct. 1, 2021, 9:26 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 1908	1	0
NtResumeThread Oct. 1, 2021, 9:26 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 1908	1	0
NtResumeThread Oct. 1, 2021, 9:26 a.m.	thread_handle: 0x00000214 suspend_count: 1 process_identifier: 1908	1	0
NtResumeThread Oct. 1, 2021, 9:26 a.m.	thread_handle: 0x00000228 suspend_count: 1 process_identifier: 1908	1	0
CreateProcessInternalW Oct. 1, 2021, 9:26 a.m.	thread_identifier: 2888 thread_handle: 0x000002e0 process_identifier: 2084 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\oii.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\oii.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\oii.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002e4	1	1
NtGetContextThread Oct. 1, 2021, 9:26 a.m.	thread_handle: 0x000002e0	1	0
NtAllocateVirtualMemory Oct. 1, 2021, 9:26 a.m.	process_identifier: 2084 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002e4	1	0
WriteProcessMemory Oct. 1, 2021, 9:26 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELÓ@«Tà \|`Ô@@.text\|{\| ` base_address: 0x00400000 process_identifier: 2084 process_handle: 0x000002e4	1	1
WriteProcessMemory Oct. 1, 2021, 9:26 a.m.	buffer: base_address: 0x00401000 process_identifier: 2084 process_handle: 0x000002e4	1	1
WriteProcessMemory Oct. 1, 2021, 9:26 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2084 process_handle: 0x000002e4	1	1
NtSetContextThread Oct. 1, 2021, 9:26 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4314208 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002e0 process_identifier: 2084	1	0
NtResumeThread Oct. 1, 2021, 9:26 a.m.	thread_handle: 0x000002e0 suspend_count: 1 process_identifier: 2084	1	0

oii.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All