Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 19, 2022, 11:31 a.m.	Jan. 19, 2022, 11:56 a.m.

Size	173.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`26c5dc4002976b3b9ae49f2440929df4`
SHA256	`4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8`
CRC32	`AB1B09AF`
ssdeep	`768:mlLupiy0bK8IaYPtSHPWcmhVm13jPJXt9qoST/p80yX6moPCdj0U:ml0iy0bT1G/p80yX6moP+j0U`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

7823754719107729.exe "C:\Users\test22\AppData\Local\Temp\7823754719107729.exe"
2772
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc YwBtAGQAIAAvAGMAIAB0AGkAbQBlAG8AdQB0ACAAMQA5AA==
  2884
  - cmd.exe "C:\Windows\system32\cmd.exe" /c timeout 19
    3008
    - timeout.exe timeout 19
      3052
- 7823754719107729.exe C:\Users\test22\AppData\Local\Temp\7823754719107729.exe
  2576

Name	Response	Post-Analysis Lookup
ozzyingilizce.com	A 159.253.41.162	159.253.41.162
www.111439d.com	A 34.102.136.180 CNAME 111439d.com	34.102.136.180

IP Address	Status	Action
159.253.41.162	Active	Moloch
164.124.101.2	Active	Moloch
34.102.136.180	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Jan. 19, 2022, 11:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 19, 2022, 11:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 19, 2022, 11:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 19, 2022, 11:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 19, 2022, 11:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 19, 2022, 11:31 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 19, 2022, 11:31 a.m.			0	0
IsDebuggerPresent Jan. 19, 2022, 11:31 a.m.			0	0
IsDebuggerPresent Jan. 19, 2022, 11:31 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Jan. 19, 2022, 11:31 a.m.	buffer: Waiting for 19 console_handle: 0x00000007	1	1	0
WriteConsoleW Jan. 19, 2022, 11:31 a.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1	0

Uses Windows APIs to generate a cryptographic key (44 events)

Time & API	Arguments	Status	Return
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006065a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006065a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006067a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006067a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025a760 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025ad20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025ad20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025ad20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025b060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025b060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025b060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025b060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025b060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025b060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025abe0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025abe0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025abe0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025ad20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025ad20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025ad20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025a820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025ad20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025ad20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025ad20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025ad20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025ad20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025ad20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025ad20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025a3e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025a3e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025a3e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025a3e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025a3e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025a3e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025a3e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025a3e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025a3e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025a3e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025a3e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025a3e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025a3e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025a3e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025a8e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0025a8e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 19, 2022, 11:31 a.m.		1	1	0

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ Jan. 19, 2022, 11:32 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x505b56d 0x6e1d82 0x6d86b7 0x6da41c 0x6da0d6 0x6d7614 0x6d7561 0x6d74c8 0x750584 0x75040e 0x7500c5 0x6d7614 0x6d7561 0x6d74c8 0x750584 0x75040e 0x7500c5 0x6d7614 0x6d7561 0x6d74c8 0x750584 0x75040e 0x7500c5 0x6d7614 0x6d7561 0x6d74c8 0x6d0fb9 0x6d0f7b 0x6d0f3d 0x6de0ca DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737 mscorlib+0x2d3711 @ 0x72143711 mscorlib+0x308f2d @ 0x72178f2d mscorlib+0x2cb060 @ 0x7213b060 0x76107e 0x7600f2 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 CopyPDBs+0x4c45 DllCanUnloadNowInternal-0x3c392 clr+0x19a887 @ 0x72fca887 DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 1828476 registers.edi: 1980555208 registers.eax: 16777216 registers.ebp: 1828680 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Jan. 19, 2022, 11:32 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x505b56d 0x6e1d82 0x6d86b7 0x6da41c 0x6da0d6 0x6d7614 0x6d7561 0x6d74c8 0x750584 0x75040e 0x7500c5 0x6d7614 0x6d7561 0x6d74c8 0x750584 0x75040e 0x7500c5 0x6d7614 0x6d7561 0x6d74c8 0x750584 0x75040e 0x7500c5 0x6d7614 0x6d7561 0x6d74c8 0x6d0fb9 0x6d0f7b 0x6d0f3d 0x6de0ca DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737 mscorlib+0x2d3711 @ 0x72143711 mscorlib+0x308f2d @ 0x72178f2d mscorlib+0x2cb060 @ 0x7213b060 0x76107e 0x7600f2 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 CopyPDBs+0x4c45 DllCanUnloadNowInternal-0x3c392 clr+0x19a887 @ 0x72fca887 DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 1828476 registers.edi: 1980555208 registers.eax: 4194304 registers.ebp: 1828680 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Jan. 19, 2022, 11:32 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x505b56d 0x6e1d82 0x6d86b7 0x6da41c 0x6da0d6 0x6d7614 0x6d7561 0x6d74c8 0x750584 0x75040e 0x7500c5 0x6d7614 0x6d7561 0x6d74c8 0x750584 0x75040e 0x7500c5 0x6d7614 0x6d7561 0x6d74c8 0x750584 0x75040e 0x7500c5 0x6d7614 0x6d7561 0x6d74c8 0x6d0fb9 0x6d0f7b 0x6d0f3d 0x6de0ca DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737 mscorlib+0x2d3711 @ 0x72143711 mscorlib+0x308f2d @ 0x72178f2d mscorlib+0x2cb060 @ 0x7213b060 0x76107e 0x7600f2 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 CopyPDBs+0x4c45 DllCanUnloadNowInternal-0x3c392 clr+0x19a887 @ 0x72fca887 DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 1828476 registers.edi: 1980555208 registers.eax: 3211264 registers.ebp: 1828680 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1

Time & API

Arguments

Status

Return

Repeated

__exception__

Jan. 19, 2022, 11:32 a.m.

stacktrace:

K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e
0x505b56d
0x6e1d82
0x6d86b7
0x6da41c
0x6da0d6
0x6d7614
0x6d7561
0x6d74c8
0x750584
0x75040e
0x7500c5
0x6d7614
0x6d7561
0x6d74c8
0x750584
0x75040e
0x7500c5
0x6d7614
0x6d7561
0x6d74c8
0x750584
0x75040e
0x7500c5
0x6d7614
0x6d7561
0x6d74c8
0x6d0fb9
0x6d0f7b
0x6d0f3d
0x6de0ca
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737
mscorlib+0x2d3711 @ 0x72143711
mscorlib+0x308f2d @ 0x72178f2d
mscorlib+0x2cb060 @ 0x7213b060
0x76107e
0x7600f2
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95
CopyPDBs+0x4c45 DllCanUnloadNowInternal-0x3c392 clr+0x19a887 @ 0x72fca887
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7670b479
registers.esp: 1828476
registers.edi: 1980555208
registers.eax: 16777216
registers.ebp: 1828680
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0

__exception__

Jan. 19, 2022, 11:32 a.m.

stacktrace:

K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e
0x505b56d
0x6e1d82
0x6d86b7
0x6da41c
0x6da0d6
0x6d7614
0x6d7561
0x6d74c8
0x750584
0x75040e
0x7500c5
0x6d7614
0x6d7561
0x6d74c8
0x750584
0x75040e
0x7500c5
0x6d7614
0x6d7561
0x6d74c8
0x750584
0x75040e
0x7500c5
0x6d7614
0x6d7561
0x6d74c8
0x6d0fb9
0x6d0f7b
0x6d0f3d
0x6de0ca
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737
mscorlib+0x2d3711 @ 0x72143711
mscorlib+0x308f2d @ 0x72178f2d
mscorlib+0x2cb060 @ 0x7213b060
0x76107e
0x7600f2
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95
CopyPDBs+0x4c45 DllCanUnloadNowInternal-0x3c392 clr+0x19a887 @ 0x72fca887
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7670b479
registers.esp: 1828476
registers.edi: 1980555208
registers.eax: 4194304
registers.ebp: 1828680
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0

__exception__

Jan. 19, 2022, 11:32 a.m.

stacktrace:

K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e
0x505b56d
0x6e1d82
0x6d86b7
0x6da41c
0x6da0d6
0x6d7614
0x6d7561
0x6d74c8
0x750584
0x75040e
0x7500c5
0x6d7614
0x6d7561
0x6d74c8
0x750584
0x75040e
0x7500c5
0x6d7614
0x6d7561
0x6d74c8
0x750584
0x75040e
0x7500c5
0x6d7614
0x6d7561
0x6d74c8
0x6d0fb9
0x6d0f7b
0x6d0f3d
0x6de0ca
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737
mscorlib+0x2d3711 @ 0x72143711
mscorlib+0x308f2d @ 0x72178f2d
mscorlib+0x2cb060 @ 0x7213b060
0x76107e
0x7600f2
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95
CopyPDBs+0x4c45 DllCanUnloadNowInternal-0x3c392 clr+0x19a887 @ 0x72fca887
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7670b479
registers.esp: 1828476
registers.edi: 1980555208
registers.eax: 3211264
registers.ebp: 1828680
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET http://ozzyingilizce.com/wp-content/sgu/Qwjzfxxa.jpeg
suspicious_features	GET method with no useragent header				suspicious_request	GET http://www.111439d.com/oh75/?t8o=B/bERt/wHlpGPiClXgpfUqPFQza98qmzfCoqaQ0lPZ79RyiuCHtVYbWjzhGosQ6oTRTw5T6w&UlX=XvLHM

Performs some HTTP requests (2 events)

request	GET http://ozzyingilizce.com/wp-content/sgu/Qwjzfxxa.jpeg
request	GET http://www.111439d.com/oh75/?t8o=B/bERt/wHlpGPiClXgpfUqPFQza98qmzfCoqaQ0lPZ79RyiuCHtVYbWjzhGosQ6oTRTw5T6w&UlX=XvLHM

Allocates read-write-execute memory (usually to unpack itself) (50 out of 216 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00580000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02390000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00761000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00762000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00764000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003dd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00765000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0076d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003de000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0076e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0076f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003df000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006dd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006de000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006df000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00751000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00752000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00753000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	"C:\Windows\system32\cmd.exe" /c timeout 19
cmdline	powershell -enc YwBtAGQAIAAvAGMAIAB0AGkAbQBlAG8AdQB0ACAAMQA5AA==
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc YwBtAGQAIAAvAGMAIAB0AGkAbQBlAG8AdQB0ACAAMQA5AA==

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Jan. 19, 2022, 11:31 a.m.	show_type: 0 filepath_r: powershell parameters: -enc YwBtAGQAIAAvAGMAIAB0AGkAbQBlAG8AdQB0ACAAMQA5AA== filepath: powershell	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Jan. 19, 2022, 11:31 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Jan. 19, 2022, 11:32 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Jan. 19, 2022, 11:31 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Jan. 19, 2022, 11:32 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Jan. 19, 2022, 11:32 a.m.	process_identifier: 2576 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000021c	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\update

reg_value

"C:\Users\test22\AppData\Roaming\update\update.exe"

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Jan. 19, 2022, 11:32 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿáÀº´ Í!¸LÍ!This program cannot be run in DOS mode. $«üêïf¹ïf¹ïf¹ôÍ¹©f¹ôø¹ìf¹ôû¹îf¹Richïf¹PEL½~KRà Òððð@ð@.textTÑÒ ` base_address: 0x00400000 process_identifier: 2576 process_handle: 0x0000021c	1	1	0
WriteProcessMemory Jan. 19, 2022, 11:32 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2576 process_handle: 0x0000021c	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Jan. 19, 2022, 11:32 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿáÀº´ Í!¸LÍ!This program cannot be run in DOS mode. $«üêïf¹ïf¹ïf¹ôÍ¹©f¹ôø¹ìf¹ôû¹îf¹Richïf¹PEL½~KRà Òððð@ð@.textTÑÒ ` base_address: 0x00400000 process_identifier: 2576 process_handle: 0x0000021c	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2772 called NtSetContextThread to modify thread in remote process 2576
NtSetContextThread Jan. 19, 2022, 11:32 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4321520 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000260 process_identifier: 2576	1	0	0

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

"C:\Windows\system32\cmd.exe" /c timeout 19

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2772 resumed a thread in remote process 2576
NtResumeThread Jan. 19, 2022, 11:32 a.m.	thread_handle: 0x00000260 suspend_count: 1 process_identifier: 2576	1	0	0

The process powershell.exe wrote an executable file to disk (21 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Windows\System32\cmd.exe

Executed a process and injected code into it, probably while unpacking (21 events)

Time & API	Arguments	Status	Return
NtResumeThread Jan. 19, 2022, 11:31 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2772	1	0
NtResumeThread Jan. 19, 2022, 11:31 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2772	1	0
NtResumeThread Jan. 19, 2022, 11:31 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2772	1	0
NtResumeThread Jan. 19, 2022, 11:31 a.m.	thread_handle: 0x00000230 suspend_count: 1 process_identifier: 2772	1	0
CreateProcessInternalW Jan. 19, 2022, 11:31 a.m.	thread_identifier: 2888 thread_handle: 0x00000390 process_identifier: 2884 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc YwBtAGQAIAAvAGMAIAB0AGkAbQBlAG8AdQB0ACAAMQA5AA== filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000398	1	1
NtResumeThread Jan. 19, 2022, 11:31 a.m.	thread_handle: 0x00000484 suspend_count: 1 process_identifier: 2772	1	0
NtResumeThread Jan. 19, 2022, 11:32 a.m.	thread_handle: 0x00000470 suspend_count: 1 process_identifier: 2772	1	0
CreateProcessInternalW Jan. 19, 2022, 11:32 a.m.	thread_identifier: 2572 thread_handle: 0x00000260 process_identifier: 2576 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\7823754719107729.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000021c	1	1
NtGetContextThread Jan. 19, 2022, 11:32 a.m.	thread_handle: 0x00000260	1	0
NtAllocateVirtualMemory Jan. 19, 2022, 11:32 a.m.	process_identifier: 2576 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000021c	1	0
WriteProcessMemory Jan. 19, 2022, 11:32 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿáÀº´ Í!¸LÍ!This program cannot be run in DOS mode. $«üêïf¹ïf¹ïf¹ôÍ¹©f¹ôø¹ìf¹ôû¹îf¹Richïf¹PEL½~KRà Òððð@ð@.textTÑÒ ` base_address: 0x00400000 process_identifier: 2576 process_handle: 0x0000021c	1	1
WriteProcessMemory Jan. 19, 2022, 11:32 a.m.	buffer: base_address: 0x00401000 process_identifier: 2576 process_handle: 0x0000021c	1	1
WriteProcessMemory Jan. 19, 2022, 11:32 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2576 process_handle: 0x0000021c	1	1
NtSetContextThread Jan. 19, 2022, 11:32 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4321520 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000260 process_identifier: 2576	1	0
NtResumeThread Jan. 19, 2022, 11:32 a.m.	thread_handle: 0x00000260 suspend_count: 1 process_identifier: 2576	1	0
NtResumeThread Jan. 19, 2022, 11:31 a.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 2884	1	0
NtResumeThread Jan. 19, 2022, 11:31 a.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 2884	1	0
NtResumeThread Jan. 19, 2022, 11:31 a.m.	thread_handle: 0x00000444 suspend_count: 1 process_identifier: 2884	1	0
CreateProcessInternalW Jan. 19, 2022, 11:31 a.m.	thread_identifier: 3012 thread_handle: 0x00000448 process_identifier: 3008 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\system32\cmd.exe" /c timeout 19 filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x0000044c	1	1
NtResumeThread Jan. 19, 2022, 11:31 a.m.	thread_handle: 0x00000490 suspend_count: 1 process_identifier: 2884	1	0
CreateProcessInternalW Jan. 19, 2022, 11:31 a.m.	thread_identifier: 3056 thread_handle: 0x00000084 process_identifier: 3052 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\timeout.exe track: 1 command_line: timeout 19 filepath_r: C:\Windows\system32\timeout.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1

File has been identified by 33 AntiVirus engines on VirusTotal as malicious (33 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.38587846
FireEye	Generic.mg.26c5dc4002976b3b
Cylance	Unsafe
Sangfor	Trojan.MSIL.Agent_AGen.GO
K7GW	Trojan-Downloader ( 0058cf791 )
CrowdStrike	win/malicious_confidence_90% (W)
BitDefenderTheta	Gen:NN.ZemsilF.34160.km0@aq3fP!e
Cyren	W32/Faker.Q.gen!Eldorado
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.KBM
TrendMicro-HouseCall	TROJ_GEN.R002H0CAI22
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Spy.MSIL.Quasar.gen
BitDefender	Trojan.GenericKD.38587846
Avast	Win32:MalwareX-gen [Trj]
Tencent	Msil.Trojan-downloader.Agent_agen.Hssr
Ad-Aware	Trojan.GenericKD.38587846
Sophos	Mal/Generic-S
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	Trojan.GenericKD.38587846 (B)
Webroot	W32.Trojan.Gen
MAX	malware (ai score=89)
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:Win32/Woreflint.A!cl
GData	Trojan.GenericKD.38587846
Cynet	Malicious (score: 100)
McAfee	RDN/Generic PWS.y
Malwarebytes	Trojan.Downloader
APEX	Malicious
Rising	Malware.Obfus/MSIL@AI.92 (RDM.MSIL:k0VYYQ3egmIquC8O+Wgb3Q)
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Agent.KAD!tr
AVG	Win32:MalwareX-gen [Trj]

7823754719107729.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All