Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 7, 2021, 5:34 p.m.	Oct. 7, 2021, 5:36 p.m.

Size	1.3MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`0497faff25c24f11d0813f8da6b5c2d7`
SHA256	`b3e18d1026779e01b6bc834a8da488eeb669e5e366ef8d495c109c0f1424d3c1`
CRC32	`42A6FD79`
ssdeep	`24576:4wH20Pcntu9H8cXQOoklad/Ipy0kHnd81ERqQjNLBF9oOAlv7AVx0Y:4wH2fuyaC56yLBUW`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

ConsoleApp17.exe "C:\Users\test22\AppData\Local\Temp\ConsoleApp17.exe"
1116
- ConsoleApp17.exe C:\Users\test22\AppData\Local\Temp\ConsoleApp17.exe
  2552
  - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\dismusjtudcqasquwgxonxjwoydytnhqj.vbs"
    560

Name	Response	Post-Analysis Lookup
lplazadtemins.duckdns.org	A 194.147.140.45	194.147.140.45

IP Address	Status	Action
164.124.101.2	Active	Moloch
194.147.140.45	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:61479 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.101:49203 194.147.140.45:443	None	None	None
TLS 1.3 192.168.56.101:49206 194.147.140.45:443	None	None	None

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 7, 2021, 5:34 p.m.			0	0
IsDebuggerPresent Oct. 7, 2021, 5:34 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 7, 2021, 5:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00682e38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 7, 2021, 5:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00682e38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 7, 2021, 5:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00682d78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 7, 2021, 5:34 p.m.		1	1	0

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ Oct. 7, 2021, 5:35 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0xafa71d 0xaf977e 0xaf659d 0xaf56a8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d3711 @ 0x6ff13711 mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x3133fd @ 0x6ff533fd 0xaf0156 0xaf007e DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 2878108 registers.edi: 1990713288 registers.eax: 16777216 registers.ebp: 2878312 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Oct. 7, 2021, 5:35 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0xafa71d 0xaf977e 0xaf659d 0xaf56a8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d3711 @ 0x6ff13711 mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x3133fd @ 0x6ff533fd 0xaf0156 0xaf007e DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 2878108 registers.edi: 1990713288 registers.eax: 4194304 registers.ebp: 2878312 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Oct. 7, 2021, 5:35 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0xafa71d 0xaf977e 0xaf659d 0xaf56a8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d3711 @ 0x6ff13711 mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x3133fd @ 0x6ff533fd 0xaf0156 0xaf007e DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 2878108 registers.edi: 1990713288 registers.eax: 15728640 registers.ebp: 2878312 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 7, 2021, 5:35 p.m.

stacktrace:

K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e
0xafa71d
0xaf977e
0xaf659d
0xaf56a8
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737
mscorlib+0x2d3711 @ 0x6ff13711
mscorlib+0x308f2d @ 0x6ff48f2d
mscorlib+0x3133fd @ 0x6ff533fd
0xaf0156
0xaf007e
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7575b479
registers.esp: 2878108
registers.edi: 1990713288
registers.eax: 16777216
registers.ebp: 2878312
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0

__exception__

Oct. 7, 2021, 5:35 p.m.

stacktrace:

K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e
0xafa71d
0xaf977e
0xaf659d
0xaf56a8
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737
mscorlib+0x2d3711 @ 0x6ff13711
mscorlib+0x308f2d @ 0x6ff48f2d
mscorlib+0x3133fd @ 0x6ff533fd
0xaf0156
0xaf007e
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7575b479
registers.esp: 2878108
registers.edi: 1990713288
registers.eax: 4194304
registers.ebp: 2878312
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0

__exception__

Oct. 7, 2021, 5:35 p.m.

stacktrace:

K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e
0xafa71d
0xaf977e
0xaf659d
0xaf56a8
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737
mscorlib+0x2d3711 @ 0x6ff13711
mscorlib+0x308f2d @ 0x6ff48f2d
mscorlib+0x3133fd @ 0x6ff533fd
0xaf0156
0xaf007e
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7575b479
registers.esp: 2878108
registers.edi: 1990713288
registers.eax: 15728640
registers.ebp: 2878312
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (1 event)

domain

lplazadtemins.duckdns.org

Allocates read-write-execute memory (usually to unpack itself) (31 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Oct. 7, 2021, 5:34 p.m.	process_identifier: 1116 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00930000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 7, 2021, 5:34 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Oct. 7, 2021, 5:34 p.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Oct. 7, 2021, 5:34 p.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 7, 2021, 5:34 p.m.	process_identifier: 1116 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b40000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 7, 2021, 5:34 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 7, 2021, 5:34 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 7, 2021, 5:34 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 7, 2021, 5:34 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 7, 2021, 5:34 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 7, 2021, 5:34 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 7, 2021, 5:34 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 7, 2021, 5:34 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 7, 2021, 5:34 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 7, 2021, 5:34 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 7, 2021, 5:34 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 7, 2021, 5:34 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 7, 2021, 5:34 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 7, 2021, 5:34 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 7, 2021, 5:34 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 7, 2021, 5:34 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Oct. 7, 2021, 5:35 p.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Oct. 7, 2021, 5:35 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 7, 2021, 5:35 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 7, 2021, 5:35 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 7, 2021, 5:35 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 7, 2021, 5:35 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 7, 2021, 5:35 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00afa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 7, 2021, 5:35 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Oct. 7, 2021, 5:36 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b82000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Oct. 7, 2021, 5:36 p.m.	process_identifier: 560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d72000 process_handle: 0xffffffff	1	0

A process attempted to delay the analysis task. (1 event)

description

ConsoleApp17.exe tried to sleep 192 seconds, actually delayed analysis time by 192 seconds

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\dismusjtudcqasquwgxonxjwoydytnhqj.vbs

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\dismusjtudcqasquwgxonxjwoydytnhqj.vbs

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\ConsoleApp17.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 7, 2021, 5:36 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\dismusjtudcqasquwgxonxjwoydytnhqj.vbs parameters: filepath: C:\Users\test22\AppData\Local\Temp\dismusjtudcqasquwgxonxjwoydytnhqj.vbs	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 7, 2021, 5:35 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (19 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	browser info stealer	rule	infoStealer_browser_Zero
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 7, 2021, 5:35 p.m.	process_identifier: 2552 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000294	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\taskmgr

reg_value

"C:\Users\test22\AppData\Local\taskmgr.exe"

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\ConsoleApp17.exe

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Oct. 7, 2021, 5:35 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ª@0îb.cîb.cîb.cZþßcüb.cZþÝcOb.cZþÜcðb.cçªcïb.cpÂécìb.cÕ<-bôb.cÕ<+bÔb.cÕ<*bÌb.cç½cûb.cîb/cÏc.cy<'b±b.c\|<Ñcïb.cy<,bïb.cRichîb.cPEL;Waà 9ü0@ÜpKPÄ8 l8´lXl@0\|.text `.rdatao0p$@@.dataì? @À.tls à¢@À.gfids0ð¤@@.rsrcpKL¨@@.relocÄ8P:ô@B base_address: 0x00400000 process_identifier: 2552 process_handle: 0x00000294	1	1
WriteProcessMemory Oct. 7, 2021, 5:35 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ¬tE°wEªtE..p¡F<¶F<¶F<¶F<¶F<¶F<¶F<¶F<¶F<¶Ft¡F@¶F@¶F@¶F@¶F@¶F@¶F@¶Fx¡Fÿÿÿÿ°wE¢F¢F¢F¢F¢Fx¡F0zE°{EEØ¡Fp§FCPSTPDT ¢Fà¢Fÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZp§Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨346E.?AVtype_info@@46E.?AVbad_alloc@std@@46E.?AVbad_array_new_length@std@@46E.?AVlogic_error@std@@46E.?AVlength_error@std@@46E.?AVout_of_range@std@@46E.?AV_Facet_base@std@@46E.?AV_Locimp@locale@std@@46E.?AVfacet@locale@std@@46E.?AU_Crt_new_delete@std@@46E.?AVcodecvt_base@std@@46E.?AUctype_base@std@@46E.?AV?$ctype@D@std@@46E.?AV?$codecvt@DDU_Mbstatet@@@std@@46E.?AVbad_exception@std@@46E.H46E.?AVfailure@ios_base@std@@46E.?AVruntime_error@std@@46E.?AVsystem_error@std@@46E.?AVbad_cast@std@@46E.?AV_System_error@std@@46E.?AVexception@std@@ base_address: 0x0046a000 process_identifier: 2552 process_handle: 0x00000294	1	1
WriteProcessMemory Oct. 7, 2021, 5:35 p.m.	buffer: base_address: 0x0046e000 process_identifier: 2552 process_handle: 0x00000294	1	1
WriteProcessMemory Oct. 7, 2021, 5:35 p.m.	buffer: ÙôØ?iÝÝ?ÑÝ?Ùw?zÊ@t@G##ÈÝÞÍ(öÐõ??M- ,ÝWÝÖ±ßú»Þ»Þý »#»{\|QnÊã='¢t¨ÄªX¦-ûÅÁÍÞ¼ b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x0046f000 process_identifier: 2552 process_handle: 0x00000294	1	1
WriteProcessMemory Oct. 7, 2021, 5:35 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2552 process_handle: 0x00000294	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 7, 2021, 5:35 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ª@0îb.cîb.cîb.cZþßcüb.cZþÝcOb.cZþÜcðb.cçªcïb.cpÂécìb.cÕ<-bôb.cÕ<+bÔb.cÕ<*bÌb.cç½cûb.cîb/cÏc.cy<'b±b.c\|<Ñcïb.cy<,bïb.cRichîb.cPEL;Waà 9ü0@ÜpKPÄ8 l8´lXl@0\|.text `.rdatao0p$@@.dataì? @À.tls à¢@À.gfids0ð¤@@.rsrcpKL¨@@.relocÄ8P:ô@B base_address: 0x00400000 process_identifier: 2552 process_handle: 0x00000294	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA Oct. 7, 2021, 5:35 p.m.	thread_identifier: 0 callback_function: 0x00408981 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	10093379	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1116 called NtSetContextThread to modify thread in remote process 2552
NtSetContextThread Oct. 7, 2021, 5:35 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4389945 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000298 process_identifier: 2552	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1116 resumed a thread in remote process 2552
NtResumeThread Oct. 7, 2021, 5:35 p.m.	thread_handle: 0x00000298 suspend_count: 1 process_identifier: 2552	1	0	0

The process wscript.exe wrote an executable file to disk (1 event)

file	C:\Windows\SysWOW64\wscript.exe

Executed a process and injected code into it, probably while unpacking (19 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 7, 2021, 5:34 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1116	1	0
NtResumeThread Oct. 7, 2021, 5:34 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 1116	1	0
NtResumeThread Oct. 7, 2021, 5:34 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 1116	1	0
NtResumeThread Oct. 7, 2021, 5:35 p.m.	thread_handle: 0x00000284 suspend_count: 1 process_identifier: 1116	1	0
CreateProcessInternalW Oct. 7, 2021, 5:35 p.m.	thread_identifier: 888 thread_handle: 0x00000298 process_identifier: 2552 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\ConsoleApp17.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000294	1	1
NtGetContextThread Oct. 7, 2021, 5:35 p.m.	thread_handle: 0x00000298	1	0
NtAllocateVirtualMemory Oct. 7, 2021, 5:35 p.m.	process_identifier: 2552 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000294	1	0
WriteProcessMemory Oct. 7, 2021, 5:35 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ª@0îb.cîb.cîb.cZþßcüb.cZþÝcOb.cZþÜcðb.cçªcïb.cpÂécìb.cÕ<-bôb.cÕ<+bÔb.cÕ<*bÌb.cç½cûb.cîb/cÏc.cy<'b±b.c\|<Ñcïb.cy<,bïb.cRichîb.cPEL;Waà 9ü0@ÜpKPÄ8 l8´lXl@0\|.text `.rdatao0p$@@.dataì? @À.tls à¢@À.gfids0ð¤@@.rsrcpKL¨@@.relocÄ8P:ô@B base_address: 0x00400000 process_identifier: 2552 process_handle: 0x00000294	1	1
WriteProcessMemory Oct. 7, 2021, 5:35 p.m.	buffer: base_address: 0x00401000 process_identifier: 2552 process_handle: 0x00000294	1	1
WriteProcessMemory Oct. 7, 2021, 5:35 p.m.	buffer: base_address: 0x00453000 process_identifier: 2552 process_handle: 0x00000294	1	1
WriteProcessMemory Oct. 7, 2021, 5:35 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ¬tE°wEªtE..p¡F<¶F<¶F<¶F<¶F<¶F<¶F<¶F<¶F<¶Ft¡F@¶F@¶F@¶F@¶F@¶F@¶F@¶Fx¡Fÿÿÿÿ°wE¢F¢F¢F¢F¢Fx¡F0zE°{EEØ¡Fp§FCPSTPDT ¢Fà¢Fÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZp§Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨346E.?AVtype_info@@46E.?AVbad_alloc@std@@46E.?AVbad_array_new_length@std@@46E.?AVlogic_error@std@@46E.?AVlength_error@std@@46E.?AVout_of_range@std@@46E.?AV_Facet_base@std@@46E.?AV_Locimp@locale@std@@46E.?AVfacet@locale@std@@46E.?AU_Crt_new_delete@std@@46E.?AVcodecvt_base@std@@46E.?AUctype_base@std@@46E.?AV?$ctype@D@std@@46E.?AV?$codecvt@DDU_Mbstatet@@@std@@46E.?AVbad_exception@std@@46E.H46E.?AVfailure@ios_base@std@@46E.?AVruntime_error@std@@46E.?AVsystem_error@std@@46E.?AVbad_cast@std@@46E.?AV_System_error@std@@46E.?AVexception@std@@ base_address: 0x0046a000 process_identifier: 2552 process_handle: 0x00000294	1	1
WriteProcessMemory Oct. 7, 2021, 5:35 p.m.	buffer: base_address: 0x0046e000 process_identifier: 2552 process_handle: 0x00000294	1	1
WriteProcessMemory Oct. 7, 2021, 5:35 p.m.	buffer: ÙôØ?iÝÝ?ÑÝ?Ùw?zÊ@t@G##ÈÝÞÍ(öÐõ??M- ,ÝWÝÖ±ßú»Þ»Þý »#»{\|QnÊã='¢t¨ÄªX¦-ûÅÁÍÞ¼ b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x0046f000 process_identifier: 2552 process_handle: 0x00000294	1	1
WriteProcessMemory Oct. 7, 2021, 5:35 p.m.	buffer: base_address: 0x00470000 process_identifier: 2552 process_handle: 0x00000294	1	1
WriteProcessMemory Oct. 7, 2021, 5:35 p.m.	buffer: base_address: 0x00475000 process_identifier: 2552 process_handle: 0x00000294	1	1
WriteProcessMemory Oct. 7, 2021, 5:35 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2552 process_handle: 0x00000294	1	1
NtSetContextThread Oct. 7, 2021, 5:35 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4389945 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000298 process_identifier: 2552	1	0
NtResumeThread Oct. 7, 2021, 5:35 p.m.	thread_handle: 0x00000298 suspend_count: 1 process_identifier: 2552	1	0
CreateProcessInternalW Oct. 7, 2021, 5:36 p.m.	thread_identifier: 2800 thread_handle: 0x000003b0 process_identifier: 560 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\wscript.exe track: 1 command_line: "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\dismusjtudcqasquwgxonxjwoydytnhqj.vbs" filepath_r: C:\Windows\System32\WScript.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003a4	1	1

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.MSIL.Cassiopeia.4
FireEye	Generic.mg.0497faff25c24f11
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 005887921 )
Alibaba	Trojan:MSIL/Kryptik.07d5c9ac
K7GW	Trojan ( 005887921 )
CrowdStrike	win/malicious_confidence_80% (W)
Cyren	W32/MSIL_Kryptik.EUB.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik.ADAY
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Downloader.MSIL.Seraph.gen
BitDefender	Gen:Variant.MSIL.Cassiopeia.4
Avast	Win32:PWSX-gen [Trj]
Ad-Aware	Gen:Variant.MSIL.Cassiopeia.4
Emsisoft	Gen:Variant.MSIL.Cassiopeia.4 (B)
McAfee-GW-Edition	Artemis!Trojan
Sophos	Mal/Generic-S
Ikarus	Win32.Outbreak
Webroot	W32.Trojan.Gen
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Kryptik.oa
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	Gen:Variant.MSIL.Cassiopeia.4
McAfee	Artemis!0497FAFF25C2
MAX	malware (ai score=87)
Malwarebytes	Trojan.MalPack
TrendMicro-HouseCall	TROJ_GEN.R002H0DJ621
SentinelOne	Static AI - Malicious PE
Fortinet	MSIL/Agent.IZE!tr.dldr
BitDefenderTheta	Gen:NN.ZemsilF.34170.vn0@aGamK5h
AVG	Win32:PWSX-gen [Trj]
Cybereason	malicious.f25c24

ConsoleApp17.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All