Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 8, 2021, 6:14 p.m.	Nov. 8, 2021, 6:18 p.m.

Size	273.3KB
Type	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`91d4d9e326c8fc248005b8d1ab6ce48b`
SHA256	`51ffa97c666a44c732f20bbb7c62f48e7f01e1e16fc381078d19fdda95894970`
CRC32	`DD55E0C8`
ssdeep	`3072:5ExPHM86Bh4bOmxrKKHbBTQXUPdywGyTfsKBAKBgI:6Zn6Bh2xrl7BBTdXWI`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

8194_1636301703_9028.exe "C:\Users\test22\AppData\Local\Temp\8194_1636301703_9028.exe"
2308
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com
  2488
  - PING.EXE "C:\Windows\system32\PING.EXE" twitter.com
    2644
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ipconfig /release
  2440
  - ipconfig.exe "C:\Windows\system32\ipconfig.exe" /release
    2652
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com
  2820
  - PING.EXE "C:\Windows\system32\PING.EXE" twitter.com
    2908
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com
  2992
  - PING.EXE "C:\Windows\system32\PING.EXE" twitter.com
    2052
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com
  2360
  - PING.EXE "C:\Windows\system32\PING.EXE" twitter.com
    2708
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com
  2444
  - PING.EXE "C:\Windows\system32\PING.EXE" twitter.com
    2316
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ipconfig /renew
  2808
  - ipconfig.exe "C:\Windows\system32\ipconfig.exe" /renew
    2948
- 8194_1636301703_9028.exe C:\Users\test22\AppData\Local\Temp\8194_1636301703_9028.exe
  2512

Name	Response	Post-Analysis Lookup
bitbucket.org	A 104.192.141.1	104.192.141.1
twitter.com	A 104.244.42.1	104.244.42.65
mas.to	A 88.99.75.82	88.99.75.82
bbuseruploads.s3.amazonaws.com	CNAME s3-1-w.amazonaws.com A 52.217.130.161 CNAME s3-w.us-east-1.amazonaws.com	52.217.228.169

IP Address	Status	Action
104.192.141.1	Active	Moloch
104.244.42.1	Active	Moloch
164.124.101.2	Active	Moloch
52.217.130.161	Active	Moloch
88.99.75.82	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49178 -> 52.217.130.161:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49182 -> 88.99.75.82:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:63183 -> 8.8.8.8:53	2027757	ET DNS Query for .to TLD	Potentially Bad Traffic
TCP 192.168.56.103:49177 -> 104.192.141.1:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:63183 -> 164.124.101.2:53	2027757	ET DNS Query for .to TLD	Potentially Bad Traffic
TCP 192.168.56.103:49181 -> 88.99.75.82:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 88.99.75.82:443 -> 192.168.56.103:49183	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49178 52.217.130.161:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Baltimore CA-2 G2	C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=*.s3.amazonaws.com	90:e0:af:dc:fa:f7:0b:ac:50:bb:fa:43:e1:ec:e2:3d:ce:91:90:47
TLS 1.2 192.168.56.103:49177 104.192.141.1:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=Private Organization, unknown=US, unknown=Delaware, serialNumber=3928449, C=US, ST=California, L=San Francisco, O=Atlassian, Inc., OU=Bitbucket, CN=bitbucket.org	4e:6a:4c:3b:82:15:ef:df:97:38:5e:50:ef:b9:86:42:84:3b:89:f0

Queries for the computername (42 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 8, 2021, 6:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 6:15 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 133 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:14 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:15 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:15 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:15 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:15 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:15 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:15 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:15 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:15 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 6:15 p.m.			0	0

Command line console output was observed (50 out of 104 events)

Time & API	Arguments	Status	Return
WriteConsoleW Nov. 8, 2021, 6:14 p.m.	buffer: Windows IP Configuration console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2021, 6:14 p.m.	buffer: The operation failed as no adapter is in the state permissible for this operation. console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: Pinging twitter.com [104.244.42.1] console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: with 32 bytes of data: console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: Reply from 104.244.42.1: console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: time=42ms console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: TTL=52 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: Reply from 104.244.42.1: console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: time=42ms console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: TTL=52 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: Reply from 104.244.42.1: console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: time=42ms console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: TTL=52 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: Reply from 104.244.42.1: console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: time=42ms console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: TTL=52 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: Ping statistics for 104.244.42.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: Approximate round trip times in milli-seconds: Minimum = 42ms, Maximum = 42ms, Average = 42ms console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: Pinging twitter.com [104.244.42.1] console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: with 32 bytes of data: console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: Reply from 104.244.42.1: console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: time=42ms console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: TTL=52 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: Reply from 104.244.42.1: console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: time=42ms console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: TTL=52 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: Reply from 104.244.42.1: console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: time=42ms console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: TTL=52 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: Reply from 104.244.42.1: console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: time=42ms console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: TTL=52 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: Ping statistics for 104.244.42.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: Approximate round trip times in milli-seconds: Minimum = 42ms, Maximum = 42ms, Average = 42ms console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: Pinging twitter.com [104.244.42.1] console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: with 32 bytes of data: console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: Reply from 104.244.42.1: console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: time=42ms console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: TTL=52 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: Reply from 104.244.42.1: console_handle: 0x00000007	1	1
WriteConsoleA Nov. 8, 2021, 6:14 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 283 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 8, 2021, 6:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0078e628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0078e628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0078e528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb258 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb7d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb7d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb7d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb9d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb9d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb9d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb9d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb9d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb9d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb7d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb7d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb7d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cae18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cae18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cae18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb6d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cae18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cae18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cae18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cae18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cae18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cae18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cae18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cbb58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cbb58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cbb58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cbb58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cbb58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cbb58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cbb58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cbb58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cbb58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cbb58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cbb58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cbb58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cbb58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cbb58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cba98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cba98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ea470 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ea9f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ea9f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ea9f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ea570 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ea570 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ea570 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 8, 2021, 6:14 p.m.		1	1	0

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ Nov. 8, 2021, 6:15 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7689b37e 0x7c935fd 0x7c93572 0x7c911ef 0x7e3c1e3 0x7e3de97 0x7e34b8b 0x7e35ae6 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73972652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7398264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x739f1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x739f1737 mscorlib+0x2d3711 @ 0x722a3711 mscorlib+0x308f2d @ 0x722d8f2d mscorlib+0x3133fd @ 0x722e33fd 0x5845ae 0x5838d2 0x5837f9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73972652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7398264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73982e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73a374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73a37610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73ac1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73ac1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73ac1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73ac416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7401f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x742a7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x742a4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7689b479 registers.esp: 2549612 registers.edi: 1987043272 registers.eax: 10027008 registers.ebp: 2549816 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Nov. 8, 2021, 6:15 p.m.	stacktrace: 8194_1636301703_9028+0x13a20 @ 0x413a20 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: eb 0b b8 01 00 00 00 c3 8b 65 e8 33 c0 c7 45 fc exception.symbol: 8194_1636301703_9028+0x10d9 exception.instruction: jmp 0x4010e6 exception.module: 8194_1636301703_9028.exe exception.exception_code: 0x80000004 exception.offset: 4313 exception.address: 0x4010d9 registers.esp: 2816368 registers.edi: 0 registers.eax: 1 registers.ebp: 2816408 registers.edx: 4971113 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 961873370	1
__exception__ Nov. 8, 2021, 6:15 p.m.	stacktrace: exception.instruction_r: 8a 08 40 3a cb 75 f9 2b c2 50 56 b9 5c 30 4d 00 exception.symbol: 8194_1636301703_9028+0x114d0 exception.instruction: mov cl, byte ptr [eax] exception.module: 8194_1636301703_9028.exe exception.exception_code: 0xc0000005 exception.offset: 70864 exception.address: 0x4114d0 registers.esp: 2815284 registers.edi: 4980396 registers.eax: 0 registers.ebp: 16 registers.edx: 1 registers.ebx: 0 registers.esi: 0 registers.ecx: 2815312	1

Time & API

Arguments

Status

Return

Repeated

__exception__

Nov. 8, 2021, 6:15 p.m.

stacktrace:

K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7689b37e
0x7c935fd
0x7c93572
0x7c911ef
0x7e3c1e3
0x7e3de97
0x7e34b8b
0x7e35ae6
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73972652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7398264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x739f1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x739f1737
mscorlib+0x2d3711 @ 0x722a3711
mscorlib+0x308f2d @ 0x722d8f2d
mscorlib+0x3133fd @ 0x722e33fd
0x5845ae
0x5838d2
0x5837f9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73972652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7398264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73982e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73a374ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73a37610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73ac1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73ac1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73ac1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73ac416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7401f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x742a7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x742a4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7689b479
registers.esp: 2549612
registers.edi: 1987043272
registers.eax: 10027008
registers.ebp: 2549816
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0

__exception__

Nov. 8, 2021, 6:15 p.m.

stacktrace:

8194_1636301703_9028+0x13a20 @ 0x413a20
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: eb 0b b8 01 00 00 00 c3 8b 65 e8 33 c0 c7 45 fc
exception.symbol: 8194_1636301703_9028+0x10d9
exception.instruction: jmp 0x4010e6
exception.module: 8194_1636301703_9028.exe
exception.exception_code: 0x80000004
exception.offset: 4313
exception.address: 0x4010d9
registers.esp: 2816368
registers.edi: 0
registers.eax: 1
registers.ebp: 2816408
registers.edx: 4971113
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 961873370

__exception__

Nov. 8, 2021, 6:15 p.m.

stacktrace:

exception.instruction_r: 8a 08 40 3a cb 75 f9 2b c2 50 56 b9 5c 30 4d 00
exception.symbol: 8194_1636301703_9028+0x114d0
exception.instruction: mov cl, byte ptr [eax]
exception.module: 8194_1636301703_9028.exe
exception.exception_code: 0xc0000005
exception.offset: 70864
exception.address: 0x4114d0
registers.esp: 2815284
registers.edi: 4980396
registers.eax: 0
registers.ebp: 16
registers.edx: 1
registers.ebx: 0
registers.esi: 0
registers.ecx: 2815312

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET https://bitbucket.org/setupfx1/software/downloads/Tango.bin
suspicious_features	GET method with no useragent header				suspicious_request	GET https://bbuseruploads.s3.amazonaws.com/dd8f3efb-aea4-4888-a2bc-db69074fc43e/downloads/f3cf9db5-402d-4ac0-81bf-ed03f37f3813/Tango.bin?Signature=saZRMEukgw4Kolbfgg8osLa73Hk%3D&Expires=1636364715&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=OQ.Ov51xs6RULvB9iL41ndXqzROZqFlU&response-content-disposition=attachment%3B%20filename%3D%22Tango.bin%22

Performs some HTTP requests (2 events)

request	GET https://bitbucket.org/setupfx1/software/downloads/Tango.bin
request	GET https://bbuseruploads.s3.amazonaws.com/dd8f3efb-aea4-4888-a2bc-db69074fc43e/downloads/f3cf9db5-402d-4ac0-81bf-ed03f37f3813/Tango.bin?Signature=saZRMEukgw4Kolbfgg8osLa73Hk%3D&Expires=1636364715&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=OQ.Ov51xs6RULvB9iL41ndXqzROZqFlU&response-content-disposition=attachment%3B%20filename%3D%22Tango.bin%22

Allocates read-write-execute memory (usually to unpack itself) (50 out of 949 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 8, 2021, 6:14 p.m.	process_identifier: 2308 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:14 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 8, 2021, 6:14 p.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73971000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 8, 2021, 6:14 p.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73972000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:14 p.m.	process_identifier: 2308 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:14 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00590000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:14 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:14 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:14 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00580000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:14 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00581000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:14 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:14 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00583000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:14 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:14 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:14 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:14 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:14 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:14 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00584000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:14 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:14 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:14 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:15 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:15 p.m.	process_identifier: 2308 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00585000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:15 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07e30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:15 p.m.	process_identifier: 2308 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07e31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:15 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003dd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:15 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07e35000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:15 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07b4f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:15 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:15 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07e36000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:15 p.m.	process_identifier: 2308 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07e37000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:15 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07e3a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:15 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07e3b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:15 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07e3c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:15 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07e3d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:15 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07b41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:15 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07e3e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:15 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003de000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:15 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07e3f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:15 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07c90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:15 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07c91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:15 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07b42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:15 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07c92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:15 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07c93000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:15 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07c94000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:14 p.m.	process_identifier: 2488 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02740000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:14 p.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 8, 2021, 6:14 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fd31000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 6:14 p.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0239a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 8, 2021, 6:14 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fd32000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

8194_1636301703_9028.exe tried to sleep 217 seconds, actually delayed analysis time by 217 seconds

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (6 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com
cmdline	powershell ipconfig /renew
cmdline	powershell ping twitter.com
cmdline	powershell ipconfig /release
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ipconfig /release
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ipconfig /renew

A process created a hidden window (7 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Nov. 8, 2021, 6:14 p.m.	show_type: 0 filepath_r: powershell parameters: ipconfig /release filepath: powershell	1	1
ShellExecuteExW Nov. 8, 2021, 6:14 p.m.	show_type: 0 filepath_r: powershell parameters: ping twitter.com filepath: powershell	1	1
ShellExecuteExW Nov. 8, 2021, 6:14 p.m.	show_type: 0 filepath_r: powershell parameters: ping twitter.com filepath: powershell	1	1
ShellExecuteExW Nov. 8, 2021, 6:14 p.m.	show_type: 0 filepath_r: powershell parameters: ping twitter.com filepath: powershell	1	1
ShellExecuteExW Nov. 8, 2021, 6:14 p.m.	show_type: 0 filepath_r: powershell parameters: ping twitter.com filepath: powershell	1	1
ShellExecuteExW Nov. 8, 2021, 6:14 p.m.	show_type: 0 filepath_r: powershell parameters: ping twitter.com filepath: powershell	1	1
ShellExecuteExW Nov. 8, 2021, 6:15 p.m.	show_type: 0 filepath_r: powershell parameters: ipconfig /renew filepath: powershell	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 8, 2021, 6:15 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (8 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Nov. 8, 2021, 6:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2021, 6:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2021, 6:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2021, 6:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2021, 6:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2021, 6:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2021, 6:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2021, 6:15 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (14 events)

description	Win32 PWS Loki	rule	Win32_PWS_Loki_Zero
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	browser info stealer	rule	infoStealer_browser_Zero

Uses Windows utilities for basic Windows functionality (9 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com
cmdline	powershell ipconfig /renew
cmdline	powershell ping twitter.com
cmdline	powershell ipconfig /release
cmdline	"C:\Windows\system32\ipconfig.exe" /renew
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ipconfig /release
cmdline	"C:\Windows\system32\ipconfig.exe" /release
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ipconfig /renew
cmdline	"C:\Windows\system32\PING.EXE" twitter.com

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 8, 2021, 6:15 p.m.	process_identifier: 2512 region_size: 888832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000008cc	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 8, 2021, 6:15 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $©à^BÈ BÈ BÈ Ñ CÈ -¾ _È K° @È K° SÈ BÈ øÈ -¾$ ëÈ -¾% È -¾ CÈ RichBÈ PELáÉaà æ½ @ ä àÌ@ Ô.textu `.rdataD @@.dataÄY0 , @À base_address: 0x00400000 process_identifier: 2512 process_handle: 0x000008cc	1	1	0
WriteProcessMemory Nov. 8, 2021, 6:15 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2512 process_handle: 0x000008cc	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 8, 2021, 6:15 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $©à^BÈ BÈ BÈ Ñ CÈ -¾ _È K° @È K° SÈ BÈ øÈ -¾$ ëÈ -¾% È -¾ CÈ RichBÈ PELáÉaà æ½ @ ä àÌ@ Ô.textu `.rdataD @@.dataÄY0 , @À base_address: 0x00400000 process_identifier: 2512 process_handle: 0x000008cc	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2308 called NtSetContextThread to modify thread in remote process 2512
NtSetContextThread Nov. 8, 2021, 6:15 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4856765 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000008ec process_identifier: 2512	1	0	0

One or more non-whitelisted processes were created (7 events)

parent_process	powershell.exe	martian_process	"C:\Windows\system32\ipconfig.exe" /release
parent_process	powershell.exe	martian_process	"C:\Windows\system32\PING.EXE" twitter.com
parent_process	powershell.exe	martian_process	"C:\Windows\system32\ipconfig.exe" /renew
parent_process	powershell.exe	martian_process	"C:\Windows\system32\PING.EXE" twitter.com
parent_process	powershell.exe	martian_process	"C:\Windows\system32\PING.EXE" twitter.com
parent_process	powershell.exe	martian_process	"C:\Windows\system32\PING.EXE" twitter.com
parent_process	powershell.exe	martian_process	"C:\Windows\system32\PING.EXE" twitter.com

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2308 resumed a thread in remote process 2512
NtResumeThread Nov. 8, 2021, 6:15 p.m.	thread_handle: 0x000008ec suspend_count: 1 process_identifier: 2512	1	0	0

The process powershell.exe wrote an executable file to disk (1 event)

file	C:\Windows\System32\ipconfig.exe

Generates some ICMP traffic

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

Lionic	Trojan.MSIL.Chapak.4!c
Elastic	malicious (high confidence)
FireEye	Generic.mg.91d4d9e326c8fc24
McAfee	RDN/Generic.rp
Cybereason	malicious.75c1a4
BitDefenderTheta	Gen:NN.ZemsilF.34266.rm2@aCQxxzh
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
BitDefender	Trojan.GenericKD.37974805
Avast	FileRepMetagen [Malware]
McAfee-GW-Edition	Artemis!Trojan
SentinelOne	Static AI - Malicious PE
MAX	malware (ai score=86)
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Microsoft	Trojan:Win32/AgentTesla!ml
GData	Trojan.GenericKD.37974805
Cynet	Malicious (score: 100)
TrendMicro-HouseCall	TROJ_GEN.R002H09K821
Yandex	Trojan.AvsArher.bUPOkE
Ikarus	Trojan.MSIL.Krypt
MaxSecure	Trojan.Malware.300983.susgen
AVG	FileRepMetagen [Malware]
CrowdStrike	win/malicious_confidence_90% (W)

Executed a process and injected code into it, probably while unpacking (50 out of 62 events)

Time & API	Arguments	Status	Return
NtResumeThread Nov. 8, 2021, 6:14 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2308	1	0
NtResumeThread Nov. 8, 2021, 6:14 p.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 2308	1	0
NtResumeThread Nov. 8, 2021, 6:14 p.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2308	1	0
NtResumeThread Nov. 8, 2021, 6:14 p.m.	thread_handle: 0x00000200 suspend_count: 1 process_identifier: 2308	1	0
NtGetContextThread Nov. 8, 2021, 6:14 p.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Nov. 8, 2021, 6:14 p.m.	thread_handle: 0x000000e8	1	0
NtResumeThread Nov. 8, 2021, 6:14 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2308	1	0
NtResumeThread Nov. 8, 2021, 6:14 p.m.	thread_handle: 0x00000214 suspend_count: 1 process_identifier: 2308	1	0
NtResumeThread Nov. 8, 2021, 6:14 p.m.	thread_handle: 0x00000230 suspend_count: 1 process_identifier: 2308	1	0
CreateProcessInternalW Nov. 8, 2021, 6:14 p.m.	thread_identifier: 2444 thread_handle: 0x000003b4 process_identifier: 2440 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ipconfig /release filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003bc	1	1
CreateProcessInternalW Nov. 8, 2021, 6:14 p.m.	thread_identifier: 2492 thread_handle: 0x00000278 process_identifier: 2488 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003bc	1	1
CreateProcessInternalW Nov. 8, 2021, 6:14 p.m.	thread_identifier: 2824 thread_handle: 0x00000404 process_identifier: 2820 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000041c	1	1
CreateProcessInternalW Nov. 8, 2021, 6:14 p.m.	thread_identifier: 2996 thread_handle: 0x00000418 process_identifier: 2992 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000440	1	1
CreateProcessInternalW Nov. 8, 2021, 6:14 p.m.	thread_identifier: 2352 thread_handle: 0x0000044c process_identifier: 2360 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000464	1	1
CreateProcessInternalW Nov. 8, 2021, 6:14 p.m.	thread_identifier: 2772 thread_handle: 0x00000460 process_identifier: 2444 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000488	1	1
CreateProcessInternalW Nov. 8, 2021, 6:15 p.m.	thread_identifier: 2628 thread_handle: 0x00000480 process_identifier: 2808 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ipconfig /renew filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000498	1	1
NtResumeThread Nov. 8, 2021, 6:15 p.m.	thread_handle: 0x000005b4 suspend_count: 1 process_identifier: 2308	1	0
CreateProcessInternalW Nov. 8, 2021, 6:15 p.m.	thread_identifier: 2680 thread_handle: 0x000008ec process_identifier: 2512 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\8194_1636301703_9028.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000008cc	1	1
NtGetContextThread Nov. 8, 2021, 6:15 p.m.	thread_handle: 0x000008ec	1	0
NtAllocateVirtualMemory Nov. 8, 2021, 6:15 p.m.	process_identifier: 2512 region_size: 888832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000008cc	1	0
WriteProcessMemory Nov. 8, 2021, 6:15 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $©à^BÈ BÈ BÈ Ñ CÈ -¾ _È K° @È K° SÈ BÈ øÈ -¾$ ëÈ -¾% È -¾ CÈ RichBÈ PELáÉaà æ½ @ ä àÌ@ Ô.textu `.rdataD @@.dataÄY0 , @À base_address: 0x00400000 process_identifier: 2512 process_handle: 0x000008cc	1	1
WriteProcessMemory Nov. 8, 2021, 6:15 p.m.	buffer: base_address: 0x00401000 process_identifier: 2512 process_handle: 0x000008cc	1	1
WriteProcessMemory Nov. 8, 2021, 6:15 p.m.	buffer: base_address: 0x004ba000 process_identifier: 2512 process_handle: 0x000008cc	1	1
WriteProcessMemory Nov. 8, 2021, 6:15 p.m.	buffer: base_address: 0x004d3000 process_identifier: 2512 process_handle: 0x000008cc	1	1
WriteProcessMemory Nov. 8, 2021, 6:15 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2512 process_handle: 0x000008cc	1	1
NtSetContextThread Nov. 8, 2021, 6:15 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4856765 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000008ec process_identifier: 2512	1	0
NtResumeThread Nov. 8, 2021, 6:15 p.m.	thread_handle: 0x000008ec suspend_count: 1 process_identifier: 2512	1	0
NtResumeThread Nov. 8, 2021, 6:14 p.m.	thread_handle: 0x0000029c suspend_count: 1 process_identifier: 2488	1	0
NtResumeThread Nov. 8, 2021, 6:14 p.m.	thread_handle: 0x000002f0 suspend_count: 1 process_identifier: 2488	1	0
NtResumeThread Nov. 8, 2021, 6:14 p.m.	thread_handle: 0x0000043c suspend_count: 1 process_identifier: 2488	1	0
CreateProcessInternalW Nov. 8, 2021, 6:14 p.m.	thread_identifier: 2648 thread_handle: 0x00000440 process_identifier: 2644 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\system32\PING.EXE" twitter.com filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x00000444	1	1
NtResumeThread Nov. 8, 2021, 6:14 p.m.	thread_handle: 0x00000488 suspend_count: 1 process_identifier: 2488	1	0
NtResumeThread Nov. 8, 2021, 6:14 p.m.	thread_handle: 0x00000298 suspend_count: 1 process_identifier: 2440	1	0
NtResumeThread Nov. 8, 2021, 6:14 p.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 2440	1	0
NtResumeThread Nov. 8, 2021, 6:14 p.m.	thread_handle: 0x00000438 suspend_count: 1 process_identifier: 2440	1	0
CreateProcessInternalW Nov. 8, 2021, 6:14 p.m.	thread_identifier: 2656 thread_handle: 0x0000043c process_identifier: 2652 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\system32\ipconfig.exe" /release filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x00000440	1	1
NtResumeThread Nov. 8, 2021, 6:14 p.m.	thread_handle: 0x00000484 suspend_count: 1 process_identifier: 2440	1	0
NtResumeThread Nov. 8, 2021, 6:14 p.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 2820	1	0
NtResumeThread Nov. 8, 2021, 6:14 p.m.	thread_handle: 0x00000300 suspend_count: 1 process_identifier: 2820	1	0
NtResumeThread Nov. 8, 2021, 6:14 p.m.	thread_handle: 0x0000044c suspend_count: 1 process_identifier: 2820	1	0
CreateProcessInternalW Nov. 8, 2021, 6:14 p.m.	thread_identifier: 2912 thread_handle: 0x00000450 process_identifier: 2908 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\system32\PING.EXE" twitter.com filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x00000454	1	1
NtResumeThread Nov. 8, 2021, 6:14 p.m.	thread_handle: 0x00000498 suspend_count: 1 process_identifier: 2820	1	0
NtResumeThread Nov. 8, 2021, 6:14 p.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 2992	1	0
NtResumeThread Nov. 8, 2021, 6:14 p.m.	thread_handle: 0x000002fc suspend_count: 1 process_identifier: 2992	1	0
NtResumeThread Nov. 8, 2021, 6:14 p.m.	thread_handle: 0x00000448 suspend_count: 1 process_identifier: 2992	1	0
CreateProcessInternalW Nov. 8, 2021, 6:14 p.m.	thread_identifier: 1832 thread_handle: 0x0000044c process_identifier: 2052 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\system32\PING.EXE" twitter.com filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x00000450	1	1
NtResumeThread Nov. 8, 2021, 6:14 p.m.	thread_handle: 0x00000494 suspend_count: 1 process_identifier: 2992	1	0
NtResumeThread Nov. 8, 2021, 6:14 p.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 2360	1	0
NtResumeThread Nov. 8, 2021, 6:14 p.m.	thread_handle: 0x00000300 suspend_count: 1 process_identifier: 2360	1	0
NtResumeThread Nov. 8, 2021, 6:14 p.m.	thread_handle: 0x0000044c suspend_count: 1 process_identifier: 2360	1	0

8194_1636301703_9028.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All