Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 4, 2021, 2:43 p.m.	Nov. 4, 2021, 2:45 p.m.

Size	2.8MB
Type	MS-DOS executable, MZ for MS-DOS
MD5	`45f06e05ee29b52bbaad37c5cdeadc18`
SHA256	`027f61e8861f743bf8e8cb0ca2ea5de056790cffed76d375e5e84f6575bc7ff6`
CRC32	`A162B591`
ssdeep	`49152:nQ+gwLSXSrhe6GCiYcRHXePEdjK1Q1CjAS1LC8FkruizcmhkT6ZFQzKF3AS:Qll4mKbjAS1vkqFwkT6ZFTF3A`
Yara	MPRESS_Zero - MPRESS packed file Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file themida_packer - themida packer

hop.exe "C:\Users\test22\AppData\Local\Temp\hop.exe"
2320
- wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\install.vbs"
  2452
  - cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
    2532
    - winmap.exe C:\Users\test22\AppData\Roaming\winmap\winmap.exe
      2592
      - svchost.exe C:\Windows\SysWOW64\svchost.exe
        2656

Name	Response	Post-Analysis Lookup
my.bingoroll18.net
my.bingoroll20.net	A 172.67.214.103 A 104.21.86.33	104.21.86.33
my.bingoroll19.net	A 104.21.75.57 A 172.67.214.213	104.21.75.57

IP Address	Status	Action
104.21.86.33	Active	Moloch
164.124.101.2	Active	Moloch
172.67.214.213	Active	Moloch
178.20.44.131	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 4, 2021, 2:43 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.MPRESS1
section	.MPRESS2

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

TYPELIB

One or more processes crashed (9 events)

Time & API	Arguments	Status
__exception__ Nov. 4, 2021, 2:43 p.m.	stacktrace: hop+0x411308 @ 0x811308 hop+0x3ea204 @ 0x7ea204 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x766fb727 registers.esp: 1638148 registers.edi: 5185536 registers.eax: 1638148 registers.ebp: 1638228 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 1999795243 registers.ecx: 410189824	1
__exception__ Nov. 4, 2021, 2:43 p.m.	stacktrace: exception.instruction_r: ed e9 15 b6 ff ff b4 00 fc ff 0a 00 00 00 5a 5b exception.symbol: hop+0x426ff1 exception.instruction: in eax, dx exception.module: hop.exe exception.exception_code: 0xc0000096 exception.offset: 4354033 exception.address: 0x826ff1 registers.esp: 1638268 registers.edi: 13446725 registers.eax: 1750617430 registers.ebp: 5185536 registers.edx: 22614 registers.ebx: 4194304 registers.esi: 6406774 registers.ecx: 20	1
__exception__ Nov. 4, 2021, 2:43 p.m.	stacktrace: exception.instruction_r: ed e9 2d 85 fe ff c3 e9 32 00 00 00 66 14 0c 33 exception.symbol: hop+0x42f68d exception.instruction: in eax, dx exception.module: hop.exe exception.exception_code: 0xc0000096 exception.offset: 4388493 exception.address: 0x82f68d registers.esp: 1638268 registers.edi: 13446725 registers.eax: 1447909480 registers.ebp: 5185536 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 6406774 registers.ecx: 10	1
__exception__ Nov. 4, 2021, 2:43 p.m.	stacktrace: winmap+0x411308 @ 0x811308 winmap+0x3ea204 @ 0x7ea204 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x766fb727 registers.esp: 1638148 registers.edi: 5185536 registers.eax: 1638148 registers.ebp: 1638228 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 1999795243 registers.ecx: 163905536	1
__exception__ Nov. 4, 2021, 2:43 p.m.	stacktrace: exception.instruction_r: ed e9 15 b6 ff ff b4 00 fc ff 0a 00 00 00 5a 5b exception.symbol: winmap+0x426ff1 exception.instruction: in eax, dx exception.module: winmap.exe exception.exception_code: 0xc0000096 exception.offset: 4354033 exception.address: 0x826ff1 registers.esp: 1638268 registers.edi: 2568001 registers.eax: 1750617430 registers.ebp: 5185536 registers.edx: 22614 registers.ebx: 4194304 registers.esi: 6406774 registers.ecx: 20	1
__exception__ Nov. 4, 2021, 2:43 p.m.	stacktrace: exception.instruction_r: ed e9 2d 85 fe ff c3 e9 32 00 00 00 66 14 0c 33 exception.symbol: winmap+0x42f68d exception.instruction: in eax, dx exception.module: winmap.exe exception.exception_code: 0xc0000096 exception.offset: 4388493 exception.address: 0x82f68d registers.esp: 1638268 registers.edi: 2568001 registers.eax: 1447909480 registers.ebp: 5185536 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 6406774 registers.ecx: 10	1
__exception__ Nov. 4, 2021, 2:43 p.m.	stacktrace: svchost+0x411308 @ 0x811308 svchost+0x3ea204 @ 0x7ea204 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x766fb727 registers.esp: 916756 registers.edi: 5185536 registers.eax: 916756 registers.ebp: 916836 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 1999795243 registers.ecx: 219217920	1
__exception__ Nov. 4, 2021, 2:43 p.m.	stacktrace: exception.instruction_r: ed e9 15 b6 ff ff b4 00 fc ff 0a 00 00 00 5a 5b exception.symbol: svchost+0x426ff1 exception.instruction: in eax, dx exception.module: svchost.exe exception.exception_code: 0xc0000096 exception.offset: 4354033 exception.address: 0x826ff1 registers.esp: 916876 registers.edi: 13053599 registers.eax: 1750617430 registers.ebp: 5185536 registers.edx: 22614 registers.ebx: 4194304 registers.esi: 6406774 registers.ecx: 20	1
__exception__ Nov. 4, 2021, 2:43 p.m.	stacktrace: exception.instruction_r: ed e9 2d 85 fe ff c3 e9 32 00 00 00 66 14 0c 33 exception.symbol: svchost+0x42f68d exception.instruction: in eax, dx exception.module: svchost.exe exception.exception_code: 0xc0000096 exception.offset: 4388493 exception.address: 0x82f68d registers.esp: 916876 registers.edi: 13053599 registers.eax: 1447909480 registers.ebp: 5185536 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 6406774 registers.ecx: 10	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (47 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7734f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x772c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 335872 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 94208 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00453000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 307200 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00470000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004bb000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00468000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00453000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00453000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00453000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00453000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00468000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7734f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x772c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 335872 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 94208 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00453000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 307200 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00470000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004bb000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00468000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00453000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00453000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00453000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00453000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00468000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7734f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x772c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 335872 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 94208 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00453000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 307200 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00470000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004bb000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00468000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00453000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00453000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00453000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00453000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00468000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

winmap.exe tried to sleep 341 seconds, actually delayed analysis time by 341 seconds

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\install.vbs

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
cmdline	C:\Windows\SysWOW64\svchost.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Nov. 4, 2021, 2:43 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\install.vbs parameters: filepath: C:\Users\test22\AppData\Local\Temp\install.vbs	1	1	0
ShellExecuteExW Nov. 4, 2021, 2:43 p.m.	show_type: 0 filepath_r: cmd parameters: /c "C:\Users\test22\AppData\Roaming\winmap\winmap.exe" filepath: cmd	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x002a2600', u'virtual_address': u'0x00001000', u'entropy': 7.963939665849399, u'name': u'.MPRESS1', u'virtual_size': u'0x00709000'}

entropy

7.96393966585

description

A section with a high entropy has been found

entropy

0.932100898411

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

178.20.44.131

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2656 region_size: 7585792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000110	1	0	0

Checks for the presence of known windows from debuggers and forensic tools (50 out of 324 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 4, 2021, 2:43 p.m.	class_name: Regmonclass window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (50 out of 120 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winmap	reg_value	"C:\Users\test22\AppData\Roaming\winmap\winmap.exe"

Creates an executable file in a user folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\hop.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\install.vbs

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Nov. 4, 2021, 2:43 p.m.	buffer: MZ@ÿÿ¸ º´ Í!¸LÍ!Win32 .EXE. $@PEL;Waà `f¢p0@ÀsKÈ- ph°p¼¥pÜ pP.MPRESS1p&àà.MPRESS28 p(àà.rsrc¼°p.*@Àv2.19 base_address: 0x00400000 process_identifier: 2656 process_handle: 0x00000110	1	1
WriteProcessMemory Nov. 4, 2021, 2:43 p.m.	buffer: Ü p`¡pÜ pè pm¡pè pð p¡pð pø p¬¡pø p¡pÐ¡p¡p¡pì¡p¡p¡p¢p¡p¡p ¢p¡p ¡p+¢p ¡p(¡pO¢p(¡p<¡pO¡px¡p¡p¹¡pÜ¡pø¡p¢po6¢p[¢pGetModuleHandleAGetProcAddressKERNEL32.DLLUSER32.dllGetWindowTextWGDI32.dllCreateCompatibleBitmapADVAPI32.dllCryptAcquireContextASHELL32.dllShellExecuteWSHLWAPI.dllStrToIntAWINMM.dllwaveInAddBufferWS2_32.dllurlmon.dllURLOpenBlockingStreamWgdiplus.dllGdipFree`èX0ð+ÀþfÁàÈP+ÈñÈWQID91uöÖÏè\^Z+À2´+Ð+É;Ês&Ù¬A$þ<èuòCÁÀx;ÂsåëÃxßÂ+ÃFüëÖè_Çÿÿÿ°éª¸«èXéUììV3öF9uMðuøÆEÿãSW}ÿ2tD2ÀéÀà ÈFeôMþ¶Eÿ}+ø;÷ É}ÿ2tÁëãÿÿF}øûs ÑïöÃtçÿðÇuÿëKçëEãÁïët7Kt'KtKu2çÿÿt0ÇADëÏçÿ?ÇAFëçÿðÇAë³ç?G}ÿt ·2Áëë3Ûf2ãÿ¶EÿuÿðÃàøtXë8FûÿtÁëÃë'}ÿt 2Áè%ÿÿë·2FFût_Eø+ÇÛtB}ðÇ]ì]øÿEø@ÿMìuïMþë$}ÿ¶2t ¶D2ÁëÁàØ}øEðÿEø8FÿEôÐá}ôMþþÿÿëI3À8EÿtD2üÆEÿ%üÁàFëfD2û%ÀÑàáÈD Àt2]ø}ðEøÆHuê¶EÿM+È;ñ!þÿÿ_[Eø^ÉÂéþ:ÿõjÿMs0¥°8¥°$¥° base_address: 0x00b0a000 process_identifier: 2656 process_handle: 0x00000110	1	1
WriteProcessMemory Nov. 4, 2021, 2:43 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2656 process_handle: 0x00000110	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 4, 2021, 2:43 p.m.	buffer: MZ@ÿÿ¸ º´ Í!¸LÍ!Win32 .EXE. $@PEL;Waà `f¢p0@ÀsKÈ- ph°p¼¥pÜ pP.MPRESS1p&àà.MPRESS28 p(àà.rsrc¼°p.*@Àv2.19 base_address: 0x00400000 process_identifier: 2656 process_handle: 0x00000110	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2592 called NtSetContextThread to modify thread in remote process 2656
NtSetContextThread Nov. 4, 2021, 2:43 p.m.	registers.eip: 1999372740 registers.esp: 916992 registers.edi: 0 registers.eax: 11575910 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000f8 process_identifier: 2656	1	0	0

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	cmd /c "C:\Users\test22\AppData\Roaming\winmap\winmap.exe"
parent_process	wscript.exe				martian_process	"C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Roaming\winmap\winmap.exe"

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2592 resumed a thread in remote process 2656
NtResumeThread Nov. 4, 2021, 2:43 p.m.	thread_handle: 0x000000f8 suspend_count: 1 process_identifier: 2656	1	0	0

Detects VirtualBox through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Nov. 4, 2021, 2:43 p.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 4, 2021, 2:43 p.m.	stacktrace: exception.instruction_r: ed e9 2d 85 fe ff c3 e9 32 00 00 00 66 14 0c 33 exception.symbol: hop+0x42f68d exception.instruction: in eax, dx exception.module: hop.exe exception.exception_code: 0xc0000096 exception.offset: 4388493 exception.address: 0x82f68d registers.esp: 1638268 registers.edi: 13446725 registers.eax: 1447909480 registers.ebp: 5185536 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 6406774 registers.ecx: 10	1	0	0

Executed a process and injected code into it, probably while unpacking (17 events)

Time & API	Arguments	Status	Return
NtGetContextThread Nov. 4, 2021, 2:43 p.m.	thread_handle: 0xfffffffe	1	0
NtResumeThread Nov. 4, 2021, 2:43 p.m.	thread_handle: 0x0000027c suspend_count: 1 process_identifier: 2320	1	0
CreateProcessInternalW Nov. 4, 2021, 2:43 p.m.	thread_identifier: 2456 thread_handle: 0x000002a0 process_identifier: 2452 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\wscript.exe track: 1 command_line: "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\install.vbs" filepath_r: C:\Windows\System32\WScript.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000294	1	1
CreateProcessInternalW Nov. 4, 2021, 2:43 p.m.	thread_identifier: 2536 thread_handle: 0x000002e8 process_identifier: 2532 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Roaming\winmap\winmap.exe" filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002f8	1	1
CreateProcessInternalW Nov. 4, 2021, 2:43 p.m.	thread_identifier: 2596 thread_handle: 0x00000084 process_identifier: 2592 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\winmap\winmap.exe track: 1 command_line: C:\Users\test22\AppData\Roaming\winmap\winmap.exe filepath_r: C:\Users\test22\AppData\Roaming\winmap\winmap.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
NtGetContextThread Nov. 4, 2021, 2:43 p.m.	thread_handle: 0xfffffffe	1	0
CreateProcessInternalW Nov. 4, 2021, 2:43 p.m.	thread_identifier: 2660 thread_handle: 0x000000f8 process_identifier: 2656 current_directory: filepath: track: 1 command_line: C:\Windows\SysWOW64\svchost.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000110	1	1
NtGetContextThread Nov. 4, 2021, 2:43 p.m.	thread_handle: 0x000000f8	1	0
NtAllocateVirtualMemory Nov. 4, 2021, 2:43 p.m.	process_identifier: 2656 region_size: 7585792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000110	1	0
WriteProcessMemory Nov. 4, 2021, 2:43 p.m.	buffer: MZ@ÿÿ¸ º´ Í!¸LÍ!Win32 .EXE. $@PEL;Waà `f¢p0@ÀsKÈ- ph°p¼¥pÜ pP.MPRESS1p&àà.MPRESS28 p(àà.rsrc¼°p.*@Àv2.19 base_address: 0x00400000 process_identifier: 2656 process_handle: 0x00000110	1	1
WriteProcessMemory Nov. 4, 2021, 2:43 p.m.	buffer: base_address: 0x00401000 process_identifier: 2656 process_handle: 0x00000110	1	1
WriteProcessMemory Nov. 4, 2021, 2:43 p.m.	buffer: Ü p`¡pÜ pè pm¡pè pð p¡pð pø p¬¡pø p¡pÐ¡p¡p¡pì¡p¡p¡p¢p¡p¡p ¢p¡p ¡p+¢p ¡p(¡pO¢p(¡p<¡pO¡px¡p¡p¹¡pÜ¡pø¡p¢po6¢p[¢pGetModuleHandleAGetProcAddressKERNEL32.DLLUSER32.dllGetWindowTextWGDI32.dllCreateCompatibleBitmapADVAPI32.dllCryptAcquireContextASHELL32.dllShellExecuteWSHLWAPI.dllStrToIntAWINMM.dllwaveInAddBufferWS2_32.dllurlmon.dllURLOpenBlockingStreamWgdiplus.dllGdipFree`èX0ð+ÀþfÁàÈP+ÈñÈWQID91uöÖÏè\^Z+À2´+Ð+É;Ês&Ù¬A$þ<èuòCÁÀx;ÂsåëÃxßÂ+ÃFüëÖè_Çÿÿÿ°éª¸«èXéUììV3öF9uMðuøÆEÿãSW}ÿ2tD2ÀéÀà ÈFeôMþ¶Eÿ}+ø;÷ É}ÿ2tÁëãÿÿF}øûs ÑïöÃtçÿðÇuÿëKçëEãÁïët7Kt'KtKu2çÿÿt0ÇADëÏçÿ?ÇAFëçÿðÇAë³ç?G}ÿt ·2Áëë3Ûf2ãÿ¶EÿuÿðÃàøtXë8FûÿtÁëÃë'}ÿt 2Áè%ÿÿë·2FFût_Eø+ÇÛtB}ðÇ]ì]øÿEø@ÿMìuïMþë$}ÿ¶2t ¶D2ÁëÁàØ}øEðÿEø8FÿEôÐá}ôMþþÿÿëI3À8EÿtD2üÆEÿ%üÁàFëfD2û%ÀÑàáÈD Àt2]ø}ðEøÆHuê¶EÿM+È;ñ!þÿÿ_[Eø^ÉÂéþ:ÿõjÿMs0¥°8¥°$¥° base_address: 0x00b0a000 process_identifier: 2656 process_handle: 0x00000110	1	1
WriteProcessMemory Nov. 4, 2021, 2:43 p.m.	buffer: base_address: 0x00b0b000 process_identifier: 2656 process_handle: 0x00000110	1	1
WriteProcessMemory Nov. 4, 2021, 2:43 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2656 process_handle: 0x00000110	1	1
NtSetContextThread Nov. 4, 2021, 2:43 p.m.	registers.eip: 1999372740 registers.esp: 916992 registers.edi: 0 registers.eax: 11575910 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000f8 process_identifier: 2656	1	0
NtResumeThread Nov. 4, 2021, 2:43 p.m.	thread_handle: 0x000000f8 suspend_count: 1 process_identifier: 2656	1	0
NtGetContextThread Nov. 4, 2021, 2:43 p.m.	thread_handle: 0xfffffffe	1	0

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.37818537
FireEye	Generic.mg.45f06e05ee29b52b
McAfee	Artemis!45F06E05EE29
Cylance	Unsafe
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Trojan:Win32/Starter.ali2000005
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.3a9705
Cyren	W32/Trojan.CLRY-7525
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Packed.Themida.IAB
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Backdoor.Win32.Remcos.twf
BitDefender	Trojan.GenericKD.37818537
Avast	Win32:Malware-gen
Sophos	Mal/Generic-S
DrWeb	Trojan.Siggen15.27252
TrendMicro	TROJ_GEN.R002C0WJL21
McAfee-GW-Edition	BehavesLike.Win32.Generic.vc
Emsisoft	Trojan.GenericKD.37818537 (B)
Ikarus	Trojan.Win32.Themida
GData	Trojan.GenericKD.37818537
Webroot	W32.Trojan.Gen
Avira	BDS/Remcos.qqxiq
ViRobot	Trojan.Win32.Z.Remcos.2963968
Microsoft	Trojan:Win32/Remcos!BV
Cynet	Malicious (score: 99)
AhnLab-V3	Malware/Win.Generic.C4712411
BitDefenderTheta	Gen:NN.ZexaF.34236.0o0@a0U2tpnO
MAX	malware (ai score=84)
VBA32	BScope.TrojanPSW.Coins
Malwarebytes	Trojan.MalPack
TrendMicro-HouseCall	TROJ_GEN.R002C0WJL21
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/PossibleThreat
AVG	Win32:Malware-gen
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_60% (W)

The process wscript.exe wrote an executable file to disk which it then attempted to execute (2 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\cmd.exe

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 events)

dead_host	172.67.214.213:2405
dead_host	178.20.44.131:2405
dead_host	104.21.86.33:2405

hop.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All