Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 7, 2022, 10:53 a.m.	April 7, 2022, 10:59 a.m.

Size	833.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`b0cd0bc56c83837d045d7895de83839e`
SHA256	`45bfa430fc35eaf3cdcc6590a02fcb51a7adf787367e32f2677dd2788804ca8e`
CRC32	`5072FDFE`
ssdeep	`12288:fAO8XvRAEJwKMEV9xd9iH0WbFt0aYJHBs7BNBAHVDuPgofOdFZSityjK:h8fRPJp7fd9I0W5t6HK7bBAHVa5sXdH`
Yara	IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature

Quote#0022.exe "C:\Users\test22\AppData\Local\Temp\Quote#0022.exe"
2804
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\vPHJXbT.exe"
  1664
- schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vPHJXbT" /XML "C:\Users\test22\AppData\Local\Temp\tmp8567.tmp"
  2104

Name	Response	Post-Analysis Lookup
ip-api.com	A 208.95.112.1	208.95.112.1

IP Address	Status	Action
164.124.101.2	Active	Moloch
208.95.112.1	Active	Moloch
216.250.250.94	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49170 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 7, 2022, 10:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 7, 2022, 10:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 7, 2022, 10:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 7, 2022, 10:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 7, 2022, 10:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 7, 2022, 10:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 7, 2022, 10:53 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 7, 2022, 10:52 a.m.			0	0
IsDebuggerPresent April 7, 2022, 10:52 a.m.			0	0
IsDebuggerPresent April 7, 2022, 10:53 a.m.			0	0

Command line console output was observed (10 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 7, 2022, 10:53 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW April 7, 2022, 10:53 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW April 7, 2022, 10:53 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW April 7, 2022, 10:53 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW April 7, 2022, 10:53 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Roaming\vPHJXbT console_handle: 0x00000053	1	1
WriteConsoleW April 7, 2022, 10:53 a.m.	buffer: .exe console_handle: 0x0000005f	1	1
WriteConsoleW April 7, 2022, 10:53 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW April 7, 2022, 10:53 a.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW April 7, 2022, 10:53 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW April 7, 2022, 10:53 a.m.	buffer: SUCCESS: The scheduled task "Updates\vPHJXbT" has successfully been created. console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cffb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d0530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d0530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d0530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d00b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d00b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d00b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d00b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d00b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d00b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfb70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfb70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfb70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d0530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d0530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d0530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d0430 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d0530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d0530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d0530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d0530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d0530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d0530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d0530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfcb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfcb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfcb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfcb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfcb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfcb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfcb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfcb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfcb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfcb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfcb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfcb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfcb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfcb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d0930 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d0930 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d0930 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d0930 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d0930 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d0930 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d0930 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 7, 2022, 10:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d0930 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 7, 2022, 10:52 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET http://ip-api.com/json/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 175 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 7, 2022, 10:52 a.m.	process_identifier: 2804 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:52 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2022, 10:52 a.m.	process_identifier: 2804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2022, 10:52 a.m.	process_identifier: 2804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:52 a.m.	process_identifier: 2804 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:52 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:52 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00412000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:52 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00445000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:52 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:52 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:52 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:52 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:52 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:52 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:52 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00437000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:52 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:52 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00436000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:52 a.m.	process_identifier: 2804 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2022, 10:52 a.m.	process_identifier: 2804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a22000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:52 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 2804 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006ae000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006af000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c5f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c61000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 2804 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c68000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 2804 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c69000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 1664 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 1664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f561000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 1664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f562000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 1664 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0275a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Looks up the external IP address (1 event)

domain

ip-api.com

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (4 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\vPHJXbT.exe"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vPHJXbT" /XML "C:\Users\test22\AppData\Local\Temp\tmp8567.tmp"
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\vPHJXbT.exe"
cmdline	schtasks.exe /Create /TN "Updates\vPHJXbT" /XML "C:\Users\test22\AppData\Local\Temp\tmp8567.tmp"

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW April 7, 2022, 10:53 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\vPHJXbT.exe" filepath: powershell	1	1	0
ShellExecuteExW April 7, 2022, 10:53 a.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\vPHJXbT" /XML "C:\Users\test22\AppData\Local\Temp\tmp8567.tmp" filepath: schtasks.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0009e400', u'virtual_address': u'0x00002000', u'entropy': 7.944702413865939, u'name': u'.text', u'virtual_size': u'0x0009e054'}

entropy

7.94470241387

description

A section with a high entropy has been found

entropy

0.760817307692

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 7, 2022, 10:53 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW April 7, 2022, 10:53 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (15 events)

description	Take ScreenShot	rule	ScreenShot
description	Communications use DNS	rule	Network_DNS
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Run a KeyLogger	rule	KeyLogger
description	Win32 PWS Loki	rule	Win32_PWS_Loki_Zero
description	task schedule	rule	schtasks_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess April 7, 2022, 10:53 a.m.	status_code: 0xffffffff process_identifier: 2388 process_handle: 0x000003f8		0	0
NtTerminateProcess April 7, 2022, 10:53 a.m.	status_code: 0xffffffff process_identifier: 2388 process_handle: 0x000003f8	1	0	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vPHJXbT" /XML "C:\Users\test22\AppData\Local\Temp\tmp8567.tmp"
cmdline	schtasks.exe /Create /TN "Updates\vPHJXbT" /XML "C:\Users\test22\AppData\Local\Temp\tmp8567.tmp"

Communicates with host for which no DNS query was performed (1 event)

host

216.250.250.94

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 2388 region_size: 385024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003f4		3221225496	0
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 2392 region_size: 385024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000041c	1	0	0

Manipulates memory of a non-child process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2804 manipulating memory of non-child process 2388
Process injection	Process 2804 manipulating memory of non-child process 2392
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 2388 region_size: 385024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003f4		3221225496	0
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 2392 region_size: 385024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000041c	1	0	0

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2804 injected into non-child 2392
WriteProcessMemory April 7, 2022, 10:53 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¬ûLbàbÞ @ à@W À H.textäa b `.rsrc d@@.relocÀn@B base_address: 0x00400000 process_identifier: 2392 process_handle: 0x0000041c	1	1	0
WriteProcessMemory April 7, 2022, 10:53 a.m.	buffer: P8hd ÔÔ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°4StringFileInfo000004b0Comments"CompanyNameFileDescription0FileVersion1.3.0.06InternalNameClient.exe&LegalCopyrightLegalTrademarks>OriginalFilenameClient.exe"ProductName4ProductVersion1.3.0.08Assembly Version1.3.0.0t£ï»¿<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" > <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> <dpiAware>true</dpiAware> </asmv3:windowsSettings> </asmv3:application> </assembly> base_address: 0x0045a000 process_identifier: 2392 process_handle: 0x0000041c	1	1	0
WriteProcessMemory April 7, 2022, 10:53 a.m.	buffer: à1 base_address: 0x0045c000 process_identifier: 2392 process_handle: 0x0000041c	1	1	0
WriteProcessMemory April 7, 2022, 10:53 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2392 process_handle: 0x0000041c	1	1	0

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2804 injected into non-child 2392
WriteProcessMemory April 7, 2022, 10:53 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¬ûLbàbÞ @ à@W À H.textäa b `.rsrc d@@.relocÀn@B base_address: 0x00400000 process_identifier: 2392 process_handle: 0x0000041c	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2804 called NtSetContextThread to modify thread in remote process 2392
NtSetContextThread April 7, 2022, 10:53 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4555230 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003f8 process_identifier: 2392	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2804 resumed a thread in remote process 2392
NtResumeThread April 7, 2022, 10:53 a.m.	thread_handle: 0x000003f8 suspend_count: 1 process_identifier: 2392	1	0	0

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

Elastic	malicious (high confidence)
DrWeb	Trojan.Siggen17.35002
MicroWorld-eScan	Gen:Variant.Strictor.265298
FireEye	Gen:Variant.Strictor.265298
ALYac	Gen:Variant.Strictor.265298
Malwarebytes	MachineLearning/Anomalous.95%
Cyren	W32/MSIL_Kryptik.GYS.gen!Eldorado
Symantec	Scr.Malcode!gdn30
ESET-NOD32	a variant of MSIL/Kryptik.AEST
Kaspersky	VHO:Trojan-PSW.MSIL.Agensla.gen
BitDefender	Gen:Variant.Strictor.265298
Avast	Win32:PWSX-gen [Trj]
Ad-Aware	Gen:Variant.Strictor.265298
Emsisoft	Gen:Variant.Strictor.265298 (B)
McAfee-GW-Edition	BehavesLike.Win32.Generic.cc
Trapmine	malicious.high.ml.score
Microsoft	Trojan:Win32/Woreflint.A!cl
Arcabit	Trojan.Strictor.D40C52
GData	Gen:Variant.Strictor.265298
Cynet	Malicious (score: 100)
McAfee	AgentTesla-FDGQ!B0CD0BC56C83
MAX	malware (ai score=84)
APEX	Malicious
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.AEPF!tr
AVG	Win32:PWSX-gen [Trj]
Cybereason	malicious.0e5bdb

Executed a process and injected code into it, probably while unpacking (22 events)

Time & API	Arguments	Status	Return
NtResumeThread April 7, 2022, 10:52 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2804	1	0
NtResumeThread April 7, 2022, 10:52 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2804	1	0
NtResumeThread April 7, 2022, 10:52 a.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 2804	1	0
CreateProcessInternalW April 7, 2022, 10:53 a.m.	thread_identifier: 1660 thread_handle: 0x00000410 process_identifier: 1664 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\vPHJXbT.exe" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000414	1	1
CreateProcessInternalW April 7, 2022, 10:53 a.m.	thread_identifier: 2228 thread_handle: 0x000003f4 process_identifier: 2104 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vPHJXbT" /XML "C:\Users\test22\AppData\Local\Temp\tmp8567.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000041c	1	1
CreateProcessInternalW April 7, 2022, 10:53 a.m.	thread_identifier: 2088 thread_handle: 0x00000414 process_identifier: 2388 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\Quote#0022.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\Quote#0022.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003f4	1	1
NtGetContextThread April 7, 2022, 10:53 a.m.	thread_handle: 0x00000414	1	0
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 2388 region_size: 385024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003f4		3221225496
CreateProcessInternalW April 7, 2022, 10:53 a.m.	thread_identifier: 2396 thread_handle: 0x000003f8 process_identifier: 2392 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\Quote#0022.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\Quote#0022.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000041c	1	1
NtGetContextThread April 7, 2022, 10:53 a.m.	thread_handle: 0x000003f8	1	0
NtAllocateVirtualMemory April 7, 2022, 10:53 a.m.	process_identifier: 2392 region_size: 385024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000041c	1	0
WriteProcessMemory April 7, 2022, 10:53 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¬ûLbàbÞ @ à@W À H.textäa b `.rsrc d@@.relocÀn@B base_address: 0x00400000 process_identifier: 2392 process_handle: 0x0000041c	1	1
WriteProcessMemory April 7, 2022, 10:53 a.m.	buffer: base_address: 0x00402000 process_identifier: 2392 process_handle: 0x0000041c	1	1
WriteProcessMemory April 7, 2022, 10:53 a.m.	buffer: P8hd ÔÔ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°4StringFileInfo000004b0Comments"CompanyNameFileDescription0FileVersion1.3.0.06InternalNameClient.exe&LegalCopyrightLegalTrademarks>OriginalFilenameClient.exe"ProductName4ProductVersion1.3.0.08Assembly Version1.3.0.0t£ï»¿<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" > <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> <dpiAware>true</dpiAware> </asmv3:windowsSettings> </asmv3:application> </assembly> base_address: 0x0045a000 process_identifier: 2392 process_handle: 0x0000041c	1	1
WriteProcessMemory April 7, 2022, 10:53 a.m.	buffer: à1 base_address: 0x0045c000 process_identifier: 2392 process_handle: 0x0000041c	1	1
WriteProcessMemory April 7, 2022, 10:53 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2392 process_handle: 0x0000041c	1	1
NtSetContextThread April 7, 2022, 10:53 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4555230 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003f8 process_identifier: 2392	1	0
NtResumeThread April 7, 2022, 10:53 a.m.	thread_handle: 0x000003f8 suspend_count: 1 process_identifier: 2392	1	0
NtResumeThread April 7, 2022, 10:53 a.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 1664	1	0
NtResumeThread April 7, 2022, 10:53 a.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 1664	1	0
NtResumeThread April 7, 2022, 10:53 a.m.	thread_handle: 0x00000390 suspend_count: 1 process_identifier: 1664	1	0
NtResumeThread April 7, 2022, 10:53 a.m.	thread_handle: 0x0000041c suspend_count: 1 process_identifier: 1664	1	0

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (7 events)

dead_host	192.168.56.101:49171
dead_host	192.168.56.101:49175
dead_host	192.168.56.101:49174
dead_host	192.168.56.101:49176
dead_host	192.168.56.101:49173
dead_host	192.168.56.101:49172
dead_host	216.250.250.94:4788

Quote#0022.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All