Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 26, 2021, 9:22 a.m.	Oct. 26, 2021, 9:24 a.m.

Size	774.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`7e34b4aa4d4f682ee40b83168405a191`
SHA256	`c348a860fa571902a6226ba5b5153b5b5937e3181103ed895f4a78d0454451f8`
CRC32	`9AA55640`
ssdeep	`12288:UviLInUpzdOOD3vsYaUDKPr5GtWakT3Lf9AmtHhtqEEd4OE:UviLIUBgOIYdr5kTBVdhtC3`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

ACL.exe "C:\Users\test22\AppData\Local\Temp\ACL.exe"
2416
- ACL.exe "C:\Users\test22\AppData\Local\Temp\ACL.exe"
  2312
  - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\install.vbs"
    2884
    - cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Roaming\win32.exe"
      1908
      - win32.exe C:\Users\test22\AppData\Roaming\win32.exe
        2080
        
        win32.exe "C:\Users\test22\AppData\Roaming\win32.exe"
        2160

Name	Response	Post-Analysis Lookup
jamaru1444.myftp.biz	A 212.193.30.133	212.193.30.133

IP Address	Status	Action
164.124.101.2	Active	Moloch
212.193.30.133	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:61479 -> 164.124.101.2:53	2013823	ET INFO DYNAMIC_DNS Query to a Suspicious *.myftp.biz Domain	Potentially Bad Traffic
UDP 192.168.56.101:61479 -> 164.124.101.2:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 26, 2021, 9:22 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 9:22 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 9:23 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 9:23 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 26, 2021, 9:22 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (1 event)

domain

jamaru1444.myftp.biz

Allocates read-write-execute memory (usually to unpack itself) (50 out of 59 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 26, 2021, 9:22 a.m.	process_identifier: 2416 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:22 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2021, 9:22 a.m.	process_identifier: 2416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2021, 9:22 a.m.	process_identifier: 2416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:22 a.m.	process_identifier: 2416 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a70000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:22 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:22 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00892000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:22 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00905000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:22 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0090b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:22 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00907000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:22 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:22 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:22 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0089a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:22 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:22 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:22 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:22 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:22 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:22 a.m.	process_identifier: 2416 region_size: 176128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2021, 9:22 a.m.	process_identifier: 2416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71fb2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:22 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:23 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:23 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:23 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05210000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:23 a.m.	process_identifier: 2416 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05211000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:23 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05216000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:23 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05217000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:23 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05218000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:23 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05219000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2021, 9:23 a.m.	process_identifier: 2884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74242000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:23 a.m.	process_identifier: 2080 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00820000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:23 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2021, 9:23 a.m.	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72531000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2021, 9:23 a.m.	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72532000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:23 a.m.	process_identifier: 2080 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:23 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:23 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00512000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:23 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00545000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:23 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:23 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:23 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:23 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:23 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:23 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:23 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00537000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:23 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:23 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:23 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 9:23 a.m.	process_identifier: 2080 region_size: 176128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2021, 9:23 a.m.	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70212000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

win32.exe tried to sleep 142 seconds, actually delayed analysis time by 142 seconds

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\install.vbs

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Roaming\win32.exe"

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\install.vbs

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 26, 2021, 9:23 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\install.vbs parameters: filepath: C:\Users\test22\AppData\Local\Temp\install.vbs	1	1	0
ShellExecuteExW Oct. 26, 2021, 9:23 a.m.	show_type: 0 filepath_r: cmd parameters: /c "C:\Users\test22\AppData\Roaming\win32.exe" filepath: cmd	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000c0e00', u'virtual_address': u'0x00002000', u'entropy': 7.624545441624695, u'name': u'.text', u'virtual_size': u'0x000c0dd0'}

entropy

7.62454544162

description

A section with a high entropy has been found

entropy

0.997414350356

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 26, 2021, 9:24 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (38 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Record Audio	rule	Sniff_Audio
description	Run a KeyLogger	rule	KeyLogger
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	browser info stealer	rule	infoStealer_browser_Zero
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Record Audio	rule	Sniff_Audio
description	Run a KeyLogger	rule	KeyLogger
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	browser info stealer	rule	infoStealer_browser_Zero

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Oct. 26, 2021, 9:24 a.m.	status_code: 0xffffffff process_identifier: 2856 process_handle: 0x00000274		0	0
NtTerminateProcess Oct. 26, 2021, 9:24 a.m.	status_code: 0xffffffff process_identifier: 2856 process_handle: 0x00000274	1	0	0

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Oct. 26, 2021, 9:23 a.m.	process_identifier: 2312 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000260	1	0
NtAllocateVirtualMemory Oct. 26, 2021, 9:24 a.m.	process_identifier: 2856 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000025c		3221225496
NtAllocateVirtualMemory Oct. 26, 2021, 9:24 a.m.	process_identifier: 2160 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000278	1	0

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\win				reg_value	"C:\Users\test22\AppData\Roaming\win32.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\win				reg_value	"C:\Users\test22\AppData\Roaming\win32.exe"

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2080 manipulating memory of non-child process 2856
NtAllocateVirtualMemory Oct. 26, 2021, 9:24 a.m.	process_identifier: 2856 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000025c		3221225496	0

Potential code injection by writing to the memory of another process (10 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Oct. 26, 2021, 9:23 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ªB0îâ,cîâ,cîâ,cZ~Ýcüâ,cZ~ßcOâ,cZ~Þcðâ,cç¨cïâ,cpBëcìâ,cÕ¼/bôâ,cÕ¼)bÔâ,cÕ¼(bÌâ,cç¿cûâ,cîâ-cñã,cy¼%b±â,c\|¼Ócïâ,cy¼.bïâ,cRichîâ,cPEL¹8aà ÷0@èÜÀJP8l8l8l@0t.textf `.rdataXo0p@@.data\= @À.tls à@À.gfids0ð@@.rsrcÀJL¢@@.reloc8P:î@B base_address: 0x00400000 process_identifier: 2312 process_handle: 0x00000260	1	1
WriteProcessMemory Oct. 26, 2021, 9:23 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ´tE¸wE²tE..¡FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶F¡FP¶FP¶FP¶FP¶FP¶FP¶FP¶F¡Fÿÿÿÿ¸wE¨¢F¨¢F¨¢F¨¢F¨¢F¡F8zE¸{EEè¡F§FCPSTPDT°¢Fð¢Fÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ§Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨346E.?AVtype_info@@46E.?AVbad_alloc@std@@46E.?AVbad_array_new_length@std@@46E.?AVlogic_error@std@@46E.?AVlength_error@std@@46E.?AVout_of_range@std@@46E.?AV_Facet_base@std@@46E.?AV_Locimp@locale@std@@46E.?AVfacet@locale@std@@46E.?AU_Crt_new_delete@std@@46E.?AVcodecvt_base@std@@46E.?AUctype_base@std@@46E.?AV?$ctype@D@std@@46E.?AV?$codecvt@DDU_Mbstatet@@@std@@46E.?AVbad_exception@std@@46E.H46E.?AVfailure@ios_base@std@@46E.?AVruntime_error@std@@46E.?AVsystem_error@std@@46E.?AVbad_cast@std@@46E.?AV_System_error@std@@46E.?AVexception@std@@ base_address: 0x0046a000 process_identifier: 2312 process_handle: 0x00000260	1	1
WriteProcessMemory Oct. 26, 2021, 9:23 a.m.	buffer: base_address: 0x0046e000 process_identifier: 2312 process_handle: 0x00000260	1	1
WriteProcessMemory Oct. 26, 2021, 9:23 a.m.	buffer: ÛÓÀÓ?TØnØ?¼Ø?Ùr?u 5´4ë³ØÞ}Í}ôðð??(p'vØBØ^¥«õÝÝÍ½ijQiÞöC£¥'¡(dö¼Ù¼ b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x0046f000 process_identifier: 2312 process_handle: 0x00000260	1	1
WriteProcessMemory Oct. 26, 2021, 9:23 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2312 process_handle: 0x00000260	1	1
WriteProcessMemory Oct. 26, 2021, 9:24 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ªB0îâ,cîâ,cîâ,cZ~Ýcüâ,cZ~ßcOâ,cZ~Þcðâ,cç¨cïâ,cpBëcìâ,cÕ¼/bôâ,cÕ¼)bÔâ,cÕ¼(bÌâ,cç¿cûâ,cîâ-cñã,cy¼%b±â,c\|¼Ócïâ,cy¼.bïâ,cRichîâ,cPEL¹8aà ÷0@èÜÀJP8l8l8l@0t.textf `.rdataXo0p@@.data\= @À.tls à@À.gfids0ð@@.rsrcÀJL¢@@.reloc8P:î@B base_address: 0x00400000 process_identifier: 2160 process_handle: 0x00000278	1	1
WriteProcessMemory Oct. 26, 2021, 9:24 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ´tE¸wE²tE..¡FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶F¡FP¶FP¶FP¶FP¶FP¶FP¶FP¶F¡Fÿÿÿÿ¸wE¨¢F¨¢F¨¢F¨¢F¨¢F¡F8zE¸{EEè¡F§FCPSTPDT°¢Fð¢Fÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ§Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨346E.?AVtype_info@@46E.?AVbad_alloc@std@@46E.?AVbad_array_new_length@std@@46E.?AVlogic_error@std@@46E.?AVlength_error@std@@46E.?AVout_of_range@std@@46E.?AV_Facet_base@std@@46E.?AV_Locimp@locale@std@@46E.?AVfacet@locale@std@@46E.?AU_Crt_new_delete@std@@46E.?AVcodecvt_base@std@@46E.?AUctype_base@std@@46E.?AV?$ctype@D@std@@46E.?AV?$codecvt@DDU_Mbstatet@@@std@@46E.?AVbad_exception@std@@46E.H46E.?AVfailure@ios_base@std@@46E.?AVruntime_error@std@@46E.?AVsystem_error@std@@46E.?AVbad_cast@std@@46E.?AV_System_error@std@@46E.?AVexception@std@@ base_address: 0x0046a000 process_identifier: 2160 process_handle: 0x00000278	1	1
WriteProcessMemory Oct. 26, 2021, 9:24 a.m.	buffer: base_address: 0x0046e000 process_identifier: 2160 process_handle: 0x00000278	1	1
WriteProcessMemory Oct. 26, 2021, 9:24 a.m.	buffer: ÛÓÀÓ?TØnØ?¼Ø?Ùr?u 5´4ë³ØÞ}Í}ôðð??(p'vØBØ^¥«õÝÝÍ½ijQiÞöC£¥'¡(dö¼Ù¼ b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x0046f000 process_identifier: 2160 process_handle: 0x00000278	1	1
WriteProcessMemory Oct. 26, 2021, 9:24 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2160 process_handle: 0x00000278	1	1

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 26, 2021, 9:23 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ªB0îâ,cîâ,cîâ,cZ~Ýcüâ,cZ~ßcOâ,cZ~Þcðâ,cç¨cïâ,cpBëcìâ,cÕ¼/bôâ,cÕ¼)bÔâ,cÕ¼(bÌâ,cç¿cûâ,cîâ-cñã,cy¼%b±â,c\|¼Ócïâ,cy¼.bïâ,cRichîâ,cPEL¹8aà ÷0@èÜÀJP8l8l8l@0t.textf `.rdataXo0p@@.data\= @À.tls à@À.gfids0ð@@.rsrcÀJL¢@@.reloc8P:î@B base_address: 0x00400000 process_identifier: 2312 process_handle: 0x00000260	1	1	0
WriteProcessMemory Oct. 26, 2021, 9:24 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ªB0îâ,cîâ,cîâ,cZ~Ýcüâ,cZ~ßcOâ,cZ~Þcðâ,cç¨cïâ,cpBëcìâ,cÕ¼/bôâ,cÕ¼)bÔâ,cÕ¼(bÌâ,cç¿cûâ,cîâ-cñã,cy¼%b±â,c\|¼Ócïâ,cy¼.bïâ,cRichîâ,cPEL¹8aà ÷0@èÜÀJP8l8l8l@0t.textf `.rdataXo0p@@.data\= @À.tls à@À.gfids0ð@@.rsrcÀJL¢@@.reloc8P:î@B base_address: 0x00400000 process_identifier: 2160 process_handle: 0x00000278	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA Oct. 26, 2021, 9:24 a.m.	thread_identifier: 0 callback_function: 0x0040887b hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	3670587	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2416 called NtSetContextThread to modify thread in remote process 2312
Process injection	Process 2080 called NtSetContextThread to modify thread in remote process 2160
NtSetContextThread Oct. 26, 2021, 9:23 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4388637 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000258 process_identifier: 2312	1	0	0
NtSetContextThread Oct. 26, 2021, 9:24 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4388637 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000274 process_identifier: 2160	1	0	0

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	cmd /c "C:\Users\test22\AppData\Roaming\win32.exe"
parent_process	wscript.exe				martian_process	"C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Roaming\win32.exe"

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2416 resumed a thread in remote process 2312
Process injection	Process 2080 resumed a thread in remote process 2160
NtResumeThread Oct. 26, 2021, 9:23 a.m.	thread_handle: 0x00000258 suspend_count: 1 process_identifier: 2312	1	0	0
NtResumeThread Oct. 26, 2021, 9:24 a.m.	thread_handle: 0x00000274 suspend_count: 1 process_identifier: 2160	1	0	0

Executed a process and injected code into it, probably while unpacking (41 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 26, 2021, 9:22 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2416	1	0
NtResumeThread Oct. 26, 2021, 9:22 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2416	1	0
NtResumeThread Oct. 26, 2021, 9:22 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2416	1	0
CreateProcessInternalW Oct. 26, 2021, 9:23 a.m.	thread_identifier: 1940 thread_handle: 0x00000258 process_identifier: 2312 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\ACL.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\ACL.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000260	1	1
NtGetContextThread Oct. 26, 2021, 9:23 a.m.	thread_handle: 0x00000258	1	0
NtAllocateVirtualMemory Oct. 26, 2021, 9:23 a.m.	process_identifier: 2312 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000260	1	0
WriteProcessMemory Oct. 26, 2021, 9:23 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ªB0îâ,cîâ,cîâ,cZ~Ýcüâ,cZ~ßcOâ,cZ~Þcðâ,cç¨cïâ,cpBëcìâ,cÕ¼/bôâ,cÕ¼)bÔâ,cÕ¼(bÌâ,cç¿cûâ,cîâ-cñã,cy¼%b±â,c\|¼Ócïâ,cy¼.bïâ,cRichîâ,cPEL¹8aà ÷0@èÜÀJP8l8l8l@0t.textf `.rdataXo0p@@.data\= @À.tls à@À.gfids0ð@@.rsrcÀJL¢@@.reloc8P:î@B base_address: 0x00400000 process_identifier: 2312 process_handle: 0x00000260	1	1
WriteProcessMemory Oct. 26, 2021, 9:23 a.m.	buffer: base_address: 0x00401000 process_identifier: 2312 process_handle: 0x00000260	1	1
WriteProcessMemory Oct. 26, 2021, 9:23 a.m.	buffer: base_address: 0x00453000 process_identifier: 2312 process_handle: 0x00000260	1	1
WriteProcessMemory Oct. 26, 2021, 9:23 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ´tE¸wE²tE..¡FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶F¡FP¶FP¶FP¶FP¶FP¶FP¶FP¶F¡Fÿÿÿÿ¸wE¨¢F¨¢F¨¢F¨¢F¨¢F¡F8zE¸{EEè¡F§FCPSTPDT°¢Fð¢Fÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ§Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨346E.?AVtype_info@@46E.?AVbad_alloc@std@@46E.?AVbad_array_new_length@std@@46E.?AVlogic_error@std@@46E.?AVlength_error@std@@46E.?AVout_of_range@std@@46E.?AV_Facet_base@std@@46E.?AV_Locimp@locale@std@@46E.?AVfacet@locale@std@@46E.?AU_Crt_new_delete@std@@46E.?AVcodecvt_base@std@@46E.?AUctype_base@std@@46E.?AV?$ctype@D@std@@46E.?AV?$codecvt@DDU_Mbstatet@@@std@@46E.?AVbad_exception@std@@46E.H46E.?AVfailure@ios_base@std@@46E.?AVruntime_error@std@@46E.?AVsystem_error@std@@46E.?AVbad_cast@std@@46E.?AV_System_error@std@@46E.?AVexception@std@@ base_address: 0x0046a000 process_identifier: 2312 process_handle: 0x00000260	1	1
WriteProcessMemory Oct. 26, 2021, 9:23 a.m.	buffer: base_address: 0x0046e000 process_identifier: 2312 process_handle: 0x00000260	1	1
WriteProcessMemory Oct. 26, 2021, 9:23 a.m.	buffer: ÛÓÀÓ?TØnØ?¼Ø?Ùr?u 5´4ë³ØÞ}Í}ôðð??(p'vØBØ^¥«õÝÝÍ½ijQiÞöC£¥'¡(dö¼Ù¼ b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x0046f000 process_identifier: 2312 process_handle: 0x00000260	1	1
WriteProcessMemory Oct. 26, 2021, 9:23 a.m.	buffer: base_address: 0x00470000 process_identifier: 2312 process_handle: 0x00000260	1	1
WriteProcessMemory Oct. 26, 2021, 9:23 a.m.	buffer: base_address: 0x00475000 process_identifier: 2312 process_handle: 0x00000260	1	1
WriteProcessMemory Oct. 26, 2021, 9:23 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2312 process_handle: 0x00000260	1	1
NtSetContextThread Oct. 26, 2021, 9:23 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4388637 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000258 process_identifier: 2312	1	0
NtResumeThread Oct. 26, 2021, 9:23 a.m.	thread_handle: 0x00000258 suspend_count: 1 process_identifier: 2312	1	0
NtResumeThread Oct. 26, 2021, 9:23 a.m.	thread_handle: 0x0000026c suspend_count: 1 process_identifier: 2312	1	0
CreateProcessInternalW Oct. 26, 2021, 9:23 a.m.	thread_identifier: 1568 thread_handle: 0x00000290 process_identifier: 2884 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\wscript.exe track: 1 command_line: "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\install.vbs" filepath_r: C:\Windows\System32\WScript.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000284	1	1
CreateProcessInternalW Oct. 26, 2021, 9:23 a.m.	thread_identifier: 2948 thread_handle: 0x000002ec process_identifier: 1908 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Roaming\win32.exe" filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002f4	1	1
CreateProcessInternalW Oct. 26, 2021, 9:23 a.m.	thread_identifier: 1684 thread_handle: 0x00000084 process_identifier: 2080 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\win32.exe track: 1 command_line: C:\Users\test22\AppData\Roaming\win32.exe filepath_r: C:\Users\test22\AppData\Roaming\win32.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
NtResumeThread Oct. 26, 2021, 9:23 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2080	1	0
NtResumeThread Oct. 26, 2021, 9:23 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2080	1	0
NtResumeThread Oct. 26, 2021, 9:23 a.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 2080	1	0
CreateProcessInternalW Oct. 26, 2021, 9:24 a.m.	thread_identifier: 2656 thread_handle: 0x00000258 process_identifier: 2856 current_directory: filepath: C:\Users\test22\AppData\Roaming\win32.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Roaming\win32.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000025c	1	1
NtGetContextThread Oct. 26, 2021, 9:24 a.m.	thread_handle: 0x00000258	1	0
NtAllocateVirtualMemory Oct. 26, 2021, 9:24 a.m.	process_identifier: 2856 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000025c		3221225496
CreateProcessInternalW Oct. 26, 2021, 9:24 a.m.	thread_identifier: 1744 thread_handle: 0x00000274 process_identifier: 2160 current_directory: filepath: C:\Users\test22\AppData\Roaming\win32.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Roaming\win32.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000278	1	1
NtGetContextThread Oct. 26, 2021, 9:24 a.m.	thread_handle: 0x00000274	1	0
NtAllocateVirtualMemory Oct. 26, 2021, 9:24 a.m.	process_identifier: 2160 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000278	1	0
WriteProcessMemory Oct. 26, 2021, 9:24 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ªB0îâ,cîâ,cîâ,cZ~Ýcüâ,cZ~ßcOâ,cZ~Þcðâ,cç¨cïâ,cpBëcìâ,cÕ¼/bôâ,cÕ¼)bÔâ,cÕ¼(bÌâ,cç¿cûâ,cîâ-cñã,cy¼%b±â,c\|¼Ócïâ,cy¼.bïâ,cRichîâ,cPEL¹8aà ÷0@èÜÀJP8l8l8l@0t.textf `.rdataXo0p@@.data\= @À.tls à@À.gfids0ð@@.rsrcÀJL¢@@.reloc8P:î@B base_address: 0x00400000 process_identifier: 2160 process_handle: 0x00000278	1	1
WriteProcessMemory Oct. 26, 2021, 9:24 a.m.	buffer: base_address: 0x00401000 process_identifier: 2160 process_handle: 0x00000278	1	1
WriteProcessMemory Oct. 26, 2021, 9:24 a.m.	buffer: base_address: 0x00453000 process_identifier: 2160 process_handle: 0x00000278	1	1
WriteProcessMemory Oct. 26, 2021, 9:24 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ´tE¸wE²tE..¡FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶F¡FP¶FP¶FP¶FP¶FP¶FP¶FP¶F¡Fÿÿÿÿ¸wE¨¢F¨¢F¨¢F¨¢F¨¢F¡F8zE¸{EEè¡F§FCPSTPDT°¢Fð¢Fÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ§Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨346E.?AVtype_info@@46E.?AVbad_alloc@std@@46E.?AVbad_array_new_length@std@@46E.?AVlogic_error@std@@46E.?AVlength_error@std@@46E.?AVout_of_range@std@@46E.?AV_Facet_base@std@@46E.?AV_Locimp@locale@std@@46E.?AVfacet@locale@std@@46E.?AU_Crt_new_delete@std@@46E.?AVcodecvt_base@std@@46E.?AUctype_base@std@@46E.?AV?$ctype@D@std@@46E.?AV?$codecvt@DDU_Mbstatet@@@std@@46E.?AVbad_exception@std@@46E.H46E.?AVfailure@ios_base@std@@46E.?AVruntime_error@std@@46E.?AVsystem_error@std@@46E.?AVbad_cast@std@@46E.?AV_System_error@std@@46E.?AVexception@std@@ base_address: 0x0046a000 process_identifier: 2160 process_handle: 0x00000278	1	1
WriteProcessMemory Oct. 26, 2021, 9:24 a.m.	buffer: base_address: 0x0046e000 process_identifier: 2160 process_handle: 0x00000278	1	1
WriteProcessMemory Oct. 26, 2021, 9:24 a.m.	buffer: ÛÓÀÓ?TØnØ?¼Ø?Ùr?u 5´4ë³ØÞ}Í}ôðð??(p'vØBØ^¥«õÝÝÍ½ijQiÞöC£¥'¡(dö¼Ù¼ b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x0046f000 process_identifier: 2160 process_handle: 0x00000278	1	1
WriteProcessMemory Oct. 26, 2021, 9:24 a.m.	buffer: base_address: 0x00470000 process_identifier: 2160 process_handle: 0x00000278	1	1
WriteProcessMemory Oct. 26, 2021, 9:24 a.m.	buffer: base_address: 0x00475000 process_identifier: 2160 process_handle: 0x00000278	1	1
WriteProcessMemory Oct. 26, 2021, 9:24 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2160 process_handle: 0x00000278	1	1
NtSetContextThread Oct. 26, 2021, 9:24 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4388637 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000274 process_identifier: 2160	1	0
NtResumeThread Oct. 26, 2021, 9:24 a.m.	thread_handle: 0x00000274 suspend_count: 1 process_identifier: 2160	1	0

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	IL:Trojan.MSILZilla.5032
FireEye	Generic.mg.7e34b4aa4d4f682e
McAfee	PWS-FCZF!7E34B4AA4D4F
Sangfor	Virus.Win32.Save.a
K7AntiVirus	Trojan ( 005894f31 )
BitDefender	IL:Trojan.MSILZilla.5032
K7GW	Trojan ( 005894f31 )
Cyren	W32/MSIL_Kryptik.FXY.gen!Eldorado
Symantec	Scr.Malcode!gdn30
ESET-NOD32	a variant of MSIL/Kryptik.ADGH
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-PSW.MSIL.Stealer.gen
Ad-Aware	IL:Trojan.MSILZilla.5032
Emsisoft	Trojan.Agent (A)
DrWeb	Trojan.DownLoader43.49359
SentinelOne	Static AI - Malicious PE
MAX	malware (ai score=87)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Arcabit	IL:Trojan.MSILZilla.D13A8
GData	MSIL.Trojan.PSE.OOI3UP
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.MSILKrypt.R446905
Malwarebytes	Trojan.MalPack.PNG.Generic
Panda	Trj/GdSda.A
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.ADGL!tr
AVG	Win32:MalwareX-gen [Trj]
Avast	Win32:MalwareX-gen [Trj]

The process wscript.exe wrote an executable file to disk which it then attempted to execute (2 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\cmd.exe

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (12 events)

dead_host	192.168.56.101:49213
dead_host	192.168.56.101:49212
dead_host	212.193.30.133:2019
dead_host	192.168.56.101:49211
dead_host	192.168.56.101:49210
dead_host	192.168.56.101:49209
dead_host	192.168.56.101:49208
dead_host	192.168.56.101:49218
dead_host	192.168.56.101:49215
dead_host	192.168.56.101:49217
dead_host	192.168.56.101:49214
dead_host	192.168.56.101:49216

ACL.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All