Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 11, 2021, 11:06 p.m.	Dec. 11, 2021, 11:11 p.m.

Size	794.5KB
Type	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5	`8ecbe23f13fb5fb2355ad4da4342fa98`
SHA256	`a279f950c579cfeb6c58d8b1ba128b32ab1e63b02eaf0dd14cedd3418c69fdc4`
CRC32	`DAEF57CF`
ssdeep	`12288:kOY/JKiF7848nteCLOYxrZlBchnq88Pjti8s4U3T4/V4q1zLppM8nD4u3Jl8MAIi:e/NuPeCyq8UJwKGq1t9c`
Yara	hide_executable_file - Hide executable file IsPE64 - (no description) PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

pm.exe "C:\Users\test22\AppData\Local\Temp\pm.exe"
2276
- cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\test22\AppData\Local\Temp\pm.exe" debug
  2456
  - pm.exe C:\Users\test22\AppData\Local\Temp\pm.exe debug
    2524
    - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\Ivgjyyhbbvlqhyjka.vbs"
      2800
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\test22\AppData\Roaming\winda.exe'
        2996

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Dec. 11, 2021, 11:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 11, 2021, 11:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 11, 2021, 11:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 11, 2021, 11:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 11, 2021, 11:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 11, 2021, 11:08 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 11, 2021, 11:06 p.m.			0	0
IsDebuggerPresent Dec. 11, 2021, 11:06 p.m.			0	0
IsDebuggerPresent Dec. 11, 2021, 11:07 p.m.			0	0
IsDebuggerPresent Dec. 11, 2021, 11:07 p.m.			0	0
IsDebuggerPresent Dec. 11, 2021, 11:08 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002c9520 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b27ebe0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b27ebe0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b27ebe0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b27ea20 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b27ea20 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b27e780 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b27e780 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b27e780 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b27e780 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b27eef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b27eef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b27eef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002c9ad0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002c9ad0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002c9ad0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002c9a60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002c9a60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002c9a60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002c9a60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002c9a60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002c9a60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002c9a60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002c9a60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b27f510 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b27f510 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b27f510 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b27e780 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b27e780 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002c92f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002c92f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002c9ad0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002c9ad0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002c9ad0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b27f5f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b27f5f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b27f5f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b27f5f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2b1230 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2b1230 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2b1460 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2b1460 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2b18c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2b18c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2b18c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2021, 11:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2b18c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 11, 2021, 11:06 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Dec. 11, 2021, 11:08 p.m.	stacktrace: K32InitializeProcessForWsWatch+0x16d K32EnumPageFilesW-0x333 kernel32+0x3f45d @ 0x76dcf45d K32EnumProcessModules+0x11 K32EnumPageFilesA-0x19f kernel32+0x53fe1 @ 0x76de3fe1 0x7fe9367d734 0x7fe9367b44a 0x7fe93670332 CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef2d1f713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef2d1f242 StrongNameTokenFromPublicKey+0x50f2 SetRuntimeInfo-0x3684e clr+0x9b042 @ 0x7fef2d6b042 StrongNameTokenFromPublicKey+0x4e33 SetRuntimeInfo-0x36b0d clr+0x9ad83 @ 0x7fef2d6ad83 mscorlib+0x563c95 @ 0x7fef1bd3c95 mscorlib+0x486001 @ 0x7fef1af6001 mscorlib+0x48c543 @ 0x7fef1afc543 0x7fe93667508 0x7fe9365fd8f 0x7fe9365720b 0x7fe93656d90 0x7fe936552ba 0x7fe93653b24 CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef2d1f713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef2d1f242 StrongNameTokenFromPublicKey+0x50f2 SetRuntimeInfo-0x3684e clr+0x9b042 @ 0x7fef2d6b042 StrongNameTokenFromPublicKey+0x4e33 SetRuntimeInfo-0x36b0d clr+0x9ad83 @ 0x7fef2d6ad83 mscorlib+0x563c95 @ 0x7fef1bd3c95 mscorlib+0x486001 @ 0x7fef1af6001 0x7fe93650957 0x7fe936502e7 0x7fe936500dc CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef2d1f713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef2d1f242 CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef2d1f30b NGenCreateNGenWorker+0x63e7 _AxlPublicKeyBlobToPublicKeyToken-0x40e25 clr+0x215e4b @ 0x7fef2ee5e4b _CorExeMain+0x3ab6 ClrCreateManagedInstance-0x1538a clr+0x1e7976 @ 0x7fef2eb7976 _CorExeMain+0x39b0 ClrCreateManagedInstance-0x15490 clr+0x1e7870 @ 0x7fef2eb7870 _CorExeMain+0x3526 ClrCreateManagedInstance-0x1591a clr+0x1e73e6 @ 0x7fef2eb73e6 _CorExeMain+0x347e ClrCreateManagedInstance-0x159c2 clr+0x1e733e @ 0x7fef2eb733e _CorExeMain+0x14 ClrCreateManagedInstance-0x18e2c clr+0x1e3ed4 @ 0x7fef2eb3ed4 _CorExeMain+0x5d CLRCreateInstance-0x2bd3 mscoreei+0x74e5 @ 0x7fef49f74e5 _CorExeMain+0x69 ND_RU1-0x1707 mscoree+0x5b21 @ 0x7fef5575b21 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76da652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x770fc521 exception.instruction_r: 49 89 04 cf eb 13 8b c8 ff 15 95 d7 05 00 8b c8 exception.symbol: K32InitializeProcessForWsWatch+0x16d K32EnumPageFilesW-0x333 kernel32+0x3f45d exception.instruction: mov qword ptr [r15 + rcx*8], rax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 259165 exception.address: 0x76dcf45d registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 4389104 registers.r11: 514 registers.r8: 4377160 registers.r9: 4377216 registers.rdx: 0 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1205534720 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Dec. 11, 2021, 11:08 p.m.

stacktrace:

K32InitializeProcessForWsWatch+0x16d K32EnumPageFilesW-0x333 kernel32+0x3f45d @ 0x76dcf45d
K32EnumProcessModules+0x11 K32EnumPageFilesA-0x19f kernel32+0x53fe1 @ 0x76de3fe1
0x7fe9367d734
0x7fe9367b44a
0x7fe93670332
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef2d1f713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef2d1f242
StrongNameTokenFromPublicKey+0x50f2 SetRuntimeInfo-0x3684e clr+0x9b042 @ 0x7fef2d6b042
StrongNameTokenFromPublicKey+0x4e33 SetRuntimeInfo-0x36b0d clr+0x9ad83 @ 0x7fef2d6ad83
mscorlib+0x563c95 @ 0x7fef1bd3c95
mscorlib+0x486001 @ 0x7fef1af6001
mscorlib+0x48c543 @ 0x7fef1afc543
0x7fe93667508
0x7fe9365fd8f
0x7fe9365720b
0x7fe93656d90
0x7fe936552ba
0x7fe93653b24
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef2d1f713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef2d1f242
StrongNameTokenFromPublicKey+0x50f2 SetRuntimeInfo-0x3684e clr+0x9b042 @ 0x7fef2d6b042
StrongNameTokenFromPublicKey+0x4e33 SetRuntimeInfo-0x36b0d clr+0x9ad83 @ 0x7fef2d6ad83
mscorlib+0x563c95 @ 0x7fef1bd3c95
mscorlib+0x486001 @ 0x7fef1af6001
0x7fe93650957
0x7fe936502e7
0x7fe936500dc
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef2d1f713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef2d1f242
CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef2d1f30b
NGenCreateNGenWorker+0x63e7 _AxlPublicKeyBlobToPublicKeyToken-0x40e25 clr+0x215e4b @ 0x7fef2ee5e4b
_CorExeMain+0x3ab6 ClrCreateManagedInstance-0x1538a clr+0x1e7976 @ 0x7fef2eb7976
_CorExeMain+0x39b0 ClrCreateManagedInstance-0x15490 clr+0x1e7870 @ 0x7fef2eb7870
_CorExeMain+0x3526 ClrCreateManagedInstance-0x1591a clr+0x1e73e6 @ 0x7fef2eb73e6
_CorExeMain+0x347e ClrCreateManagedInstance-0x159c2 clr+0x1e733e @ 0x7fef2eb733e
_CorExeMain+0x14 ClrCreateManagedInstance-0x18e2c clr+0x1e3ed4 @ 0x7fef2eb3ed4
_CorExeMain+0x5d CLRCreateInstance-0x2bd3 mscoreei+0x74e5 @ 0x7fef49f74e5
_CorExeMain+0x69 ND_RU1-0x1707 mscoree+0x5b21 @ 0x7fef5575b21
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76da652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x770fc521

exception.instruction_r: 49 89 04 cf eb 13 8b c8 ff 15 95 d7 05 00 8b c8
exception.symbol: K32InitializeProcessForWsWatch+0x16d K32EnumPageFilesW-0x333 kernel32+0x3f45d
exception.instruction: mov qword ptr [r15 + rcx*8], rax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 259165
exception.address: 0x76dcf45d
registers.r14: 0
registers.r15: 0
registers.rcx: 0
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 4389104
registers.r11: 514
registers.r8: 4377160
registers.r9: 4377216
registers.rdx: 0
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1205534720
registers.r13: 0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 294 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a40000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bb1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef324b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002640000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000027a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bb2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bb2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bb2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bb2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bb2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bb2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bb2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bb2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bb2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bb2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bb2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bb4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bb4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bb4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bb4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9343a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe934ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93516000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe934f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9344c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9343b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9345b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9348c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9345d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2021, 11:06 p.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9344a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2021, 11:07 p.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93432000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2021, 11:07 p.m.	process_identifier: 2524 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000aa0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2021, 11:07 p.m.	process_identifier: 2524 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2021, 11:07 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2cd1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2021, 11:07 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef336b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2021, 11:07 p.m.	process_identifier: 2524 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b90000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2021, 11:07 p.m.	process_identifier: 2524 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000bd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2021, 11:07 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2cd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2021, 11:07 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2cd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2021, 11:07 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2cd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2021, 11:07 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2cd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2021, 11:07 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2cd2000 process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\Ivgjyyhbbvlqhyjka.vbs

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\test22\AppData\Roaming\winda.exe'
cmdline	"C:\Windows\System32\cmd.exe" /C "C:\Users\test22\AppData\Local\Temp\pm.exe" debug
cmdline	powershell Set-MpPreference -ExclusionPath C:\,'C:\Users\test22\AppData\Roaming\winda.exe'

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Dec. 11, 2021, 11:07 p.m.	show_type: 0 filepath_r: cmd parameters: /C "C:\Users\test22\AppData\Local\Temp\pm.exe" debug filepath: cmd	1	1	0
ShellExecuteExW Dec. 11, 2021, 11:07 p.m.	show_type: 0 filepath_r: powershell parameters: Set-MpPreference -ExclusionPath C:\,'C:\Users\test22\AppData\Roaming\winda.exe' filepath: powershell	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000c4200', u'virtual_address': u'0x00002000', u'entropy': 7.540069475900501, u'name': u'.text', u'virtual_size': u'0x000c4180'}

entropy

7.5400694759

description

A section with a high entropy has been found

entropy

0.988035264484

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Dec. 11, 2021, 11:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Dec. 11, 2021, 11:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Dec. 11, 2021, 11:08 p.m.	process_identifier: 3068 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003c0	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\winda

reg_value

"C:\Users\test22\AppData\Roaming\winda.exe"

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\Ivgjyyhbbvlqhyjka.vbs

Manipulates memory of a non-child process indicative of process injection (3 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2524 manipulating memory of non-child process 3068
NtUnmapViewOfSection Dec. 11, 2021, 11:08 p.m.	base_address: 0x0000000140000000 region_size: 8786416697344 process_identifier: 3068 process_handle: 0x00000000000003c0		-1073741799	0
NtAllocateVirtualMemory Dec. 11, 2021, 11:08 p.m.	process_identifier: 3068 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003c0	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2524 injected into non-child 3068
WriteProcessMemory Dec. 11, 2021, 11:08 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEdkJáð"0: @ @@@ ÀÄ9¸¬ H.textÔ `.rsrcÄ9À:@@ base_address: 0x0000000140000000 process_identifier: 3068 process_handle: 0x00000000000003c0	1	1	0

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2524 injected into non-child 3068
WriteProcessMemory Dec. 11, 2021, 11:08 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEdkJáð"0: @ @@@ ÀÄ9¸¬ H.textÔ `.rsrcÄ9À:@@ base_address: 0x0000000140000000 process_identifier: 3068 process_handle: 0x00000000000003c0	1	1	0

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\test22\AppData\Roaming\winda.exe'
parent_process	wscript.exe				martian_process	powershell Set-MpPreference -ExclusionPath C:\,'C:\Users\test22\AppData\Roaming\winda.exe'

Executed a process and injected code into it, probably while unpacking (20 events)

Time & API	Arguments	Status	Return
NtResumeThread Dec. 11, 2021, 11:06 p.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 2276	1	0
NtResumeThread Dec. 11, 2021, 11:06 p.m.	thread_handle: 0x0000000000000138 suspend_count: 1 process_identifier: 2276	1	0
NtResumeThread Dec. 11, 2021, 11:06 p.m.	thread_handle: 0x0000000000000174 suspend_count: 1 process_identifier: 2276	1	0
CreateProcessInternalW Dec. 11, 2021, 11:07 p.m.	thread_identifier: 2460 thread_handle: 0x000000000000034c process_identifier: 2456 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /C "C:\Users\test22\AppData\Local\Temp\pm.exe" debug filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000354	1	1
CreateProcessInternalW Dec. 11, 2021, 11:07 p.m.	thread_identifier: 2528 thread_handle: 0x0000000000000060 process_identifier: 2524 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\pm.exe track: 1 command_line: C:\Users\test22\AppData\Local\Temp\pm.exe debug filepath_r: C:\Users\test22\AppData\Local\Temp\pm.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000064	1	1
NtResumeThread Dec. 11, 2021, 11:07 p.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 2524	1	0
NtResumeThread Dec. 11, 2021, 11:07 p.m.	thread_handle: 0x0000000000000138 suspend_count: 1 process_identifier: 2524	1	0
NtResumeThread Dec. 11, 2021, 11:07 p.m.	thread_handle: 0x000000000000014c suspend_count: 1 process_identifier: 2524	1	0
NtResumeThread Dec. 11, 2021, 11:07 p.m.	thread_handle: 0x00000000000001f0 suspend_count: 1 process_identifier: 2524	1	0
NtResumeThread Dec. 11, 2021, 11:07 p.m.	thread_handle: 0x0000000000000214 suspend_count: 1 process_identifier: 2524	1	0
CreateProcessInternalW Dec. 11, 2021, 11:07 p.m.	thread_identifier: 2804 thread_handle: 0x00000000000003bc process_identifier: 2800 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\wscript.exe track: 1 command_line: "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\Ivgjyyhbbvlqhyjka.vbs" filepath_r: C:\Windows\System32\WScript.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000003b0	1	1
CreateProcessInternalW Dec. 11, 2021, 11:08 p.m.	thread_identifier: 2060 thread_handle: 0x0000000000000240 process_identifier: 3068 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\aspnet_compiler.exe filepath_r: stack_pivoted: 0 creation_flags: 12 (CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 1 process_handle: 0x00000000000003c0	1	1
NtUnmapViewOfSection Dec. 11, 2021, 11:08 p.m.	base_address: 0x0000000140000000 region_size: 8786416697344 process_identifier: 3068 process_handle: 0x00000000000003c0		-1073741799
NtAllocateVirtualMemory Dec. 11, 2021, 11:08 p.m.	process_identifier: 3068 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003c0	1	0
WriteProcessMemory Dec. 11, 2021, 11:08 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEdkJáð"0: @ @@@ ÀÄ9¸¬ H.textÔ `.rsrcÄ9À:@@ base_address: 0x0000000140000000 process_identifier: 3068 process_handle: 0x00000000000003c0	1	1
CreateProcessInternalW Dec. 11, 2021, 11:07 p.m.	thread_identifier: 3000 thread_handle: 0x00000000000002ec process_identifier: 2996 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\test22\AppData\Roaming\winda.exe' filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000002f4	1	1
NtResumeThread Dec. 11, 2021, 11:08 p.m.	thread_handle: 0x0000000000000284 suspend_count: 1 process_identifier: 2996	1	0
NtResumeThread Dec. 11, 2021, 11:08 p.m.	thread_handle: 0x00000000000002d8 suspend_count: 1 process_identifier: 2996	1	0
NtResumeThread Dec. 11, 2021, 11:08 p.m.	thread_handle: 0x000000000000038c suspend_count: 1 process_identifier: 2996	1	0
NtResumeThread Dec. 11, 2021, 11:08 p.m.	thread_handle: 0x00000000000003fc suspend_count: 1 process_identifier: 2996	1	0

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Lionic	Trojan.MSIL.Seraph.a!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Cerbu.117820
McAfee	Artemis!8ECBE23F13FB
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
Alibaba	TrojanDownloader:MSIL/Seraph.d2a0d661
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.JTO
TrendMicro-HouseCall	TROJ_GEN.R002H0CLA21
Paloalto	generic.ml
ClamAV	Win.Dropper.Generic-7113183-0
Kaspersky	HEUR:Trojan-Downloader.MSIL.Seraph.gen
BitDefender	Gen:Variant.Cerbu.117820
Avast	Win64:MalwareX-gen [Trj]
Sophos	Mal/Generic-S
DrWeb	Trojan.Inject4.21839
McAfee-GW-Edition	Artemis!Trojan
FireEye	Gen:Variant.Cerbu.117820
Emsisoft	Trojan.Agent (A)
SentinelOne	Static AI - Malicious PE
Webroot	W32.Trojan.Gen
Avira	HEUR/AGEN.1145354
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Gridinsoft	Trojan.Win64.Downloader.sa
Arcabit	Trojan.Cerbu.D1CC3C
GData	Gen:Variant.Cerbu.117820
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.R444773
APEX	Malicious
MAX	malware (ai score=89)
eGambit	Trojan.Generic
Fortinet	MSIL/Agent.JTO!tr.dldr
AVG	Win64:MalwareX-gen [Trj]
CrowdStrike	win/malicious_confidence_90% (W)

The process wscript.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

pm.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All