Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 28, 2022, 9:18 a.m.	June 28, 2022, 9:41 a.m.

Size	789.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`d39d493b27584c9c4dc9e0d3f03d0a0a`
SHA256	`44218ac9cedc1b94a4f7ca1483be08ee58ccfe2f380aeef668e1ba887bd2520b`
CRC32	`FE36C08F`
ssdeep	`12288:05PBgXmof7B+fpR0IWxC3LUAcNTIg1sCpuTw3BlgkDhkaWfOzWoxKnr5byks6u8:0hSWaS3Wm/cNsKvgkrDhkDOzWLU6u8`
Yara	IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
2352
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
  2464
- InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2676
  - InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /stext "C:\Users\test22\AppData\Local\Temp\eeghiqcgh"
    2884
  - InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /stext "C:\Users\test22\AppData\Local\Temp\pyuriinavenvg"
    2944
  - InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /stext "C:\Users\test22\AppData\Local\Temp\zazkjbgbjmfzqsno"
    3008

Name	Response	Post-Analysis Lookup
imranmhemoodcheema.ddns.net	A 179.43.154.168	179.43.154.168
geoplugin.net	A 178.237.33.50	178.237.33.50

IP Address	Status	Action
164.124.101.2	Active	Moloch
178.237.33.50	Active	Moloch
179.43.154.168	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:60117 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 179.43.154.168:8903	2036594	ET JA3 Hash - Remcos 3.x TLS Connection	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 179.43.154.168:8903	2036594	ET JA3 Hash - Remcos 3.x TLS Connection	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.103:49167 179.43.154.168:8903	None	None	None
TLS 1.3 192.168.56.103:49166 179.43.154.168:8903	None	None	None

Queries for the computername (10 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 28, 2022, 9:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 28, 2022, 9:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 28, 2022, 9:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 28, 2022, 9:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 28, 2022, 9:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 28, 2022, 9:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 28, 2022, 9:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 28, 2022, 9:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 28, 2022, 9:18 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 28, 2022, 9:18 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 28, 2022, 9:18 a.m.			0	0
IsDebuggerPresent June 28, 2022, 9:18 a.m.			0	0
IsDebuggerPresent June 28, 2022, 9:18 a.m.			0	0
IsDebuggerPresent June 28, 2022, 9:18 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (47 events)

Time & API	Arguments	Status	Return
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9cb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9eb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9eb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618fe8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618fe8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618fe8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618b68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618b68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618b68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618b68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618b68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618b68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618fe8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618fe8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618fe8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618b28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618768 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618768 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618768 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618768 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618768 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618768 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618768 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618768 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618768 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618768 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618768 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618768 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618768 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618768 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006193e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2022, 9:18 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006193e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 28, 2022, 9:18 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 28, 2022, 9:18 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7689b37e 0x4c6522d 0x49b2512 0x21543a0 0x2154124 0x2157b78 0x2151e63 0x2151dda 0x2151c67 0x229e97d 0x2296034 0x2295fc3 0x2295f4c 0x2295f02 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73972652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7398264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x739f1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x739f1737 mscorlib+0x2d36ad @ 0x722a36ad mscorlib+0x308f2d @ 0x722d8f2d 0x2154d13 0x2154c2e 0x2154124 0x2157b78 0x2151e63 0x2151dda 0x2151c67 0x229e97d 0x2296034 0x2295fc3 0x2295f4c 0x2295f02 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73972652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7398264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x739f1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x739f1737 mscorlib+0x2d36ad @ 0x722a36ad mscorlib+0x308f2d @ 0x722d8f2d 0x2154d13 0x2154c2e 0x2154124 0x2157b78 0x2151e63 0x2151dda 0x2151c67 0x229e97d 0x2296034 0x2295fc3 0x2295f4c 0x2295f02 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73972652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7398264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x739f1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x739f1737 mscorlib+0x2d3711 @ 0x722a3711 mscorlib+0x308f2d @ 0x722d8f2d 0x2154d13 0x2154c2e 0x2154124 0x2157b78 0x2151e63 0x2151dda 0x2151c67 0x229e97d exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7689b479 registers.esp: 3397152 registers.edi: 1987043272 registers.eax: 8585216 registers.ebp: 3397356 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 28, 2022, 9:18 a.m.

stacktrace:

K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7689b37e
0x4c6522d
0x49b2512
0x21543a0
0x2154124
0x2157b78
0x2151e63
0x2151dda
0x2151c67
0x229e97d
0x2296034
0x2295fc3
0x2295f4c
0x2295f02
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73972652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7398264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x739f1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x739f1737
mscorlib+0x2d36ad @ 0x722a36ad
mscorlib+0x308f2d @ 0x722d8f2d
0x2154d13
0x2154c2e
0x2154124
0x2157b78
0x2151e63
0x2151dda
0x2151c67
0x229e97d
0x2296034
0x2295fc3
0x2295f4c
0x2295f02
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73972652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7398264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x739f1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x739f1737
mscorlib+0x2d36ad @ 0x722a36ad
mscorlib+0x308f2d @ 0x722d8f2d
0x2154d13
0x2154c2e
0x2154124
0x2157b78
0x2151e63
0x2151dda
0x2151c67
0x229e97d
0x2296034
0x2295fc3
0x2295f4c
0x2295f02
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73972652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7398264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x739f1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x739f1737
mscorlib+0x2d3711 @ 0x722a3711
mscorlib+0x308f2d @ 0x722d8f2d
0x2154d13
0x2154c2e
0x2154124
0x2157b78
0x2151e63
0x2151dda
0x2151c67
0x229e97d

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7689b479
registers.esp: 3397152
registers.edi: 1987043272
registers.eax: 8585216
registers.ebp: 3397356
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://geoplugin.net/json.gp

Connects to a Dynamic DNS Domain (1 event)

domain

imranmhemoodcheema.ddns.net

Performs some HTTP requests (1 event)

request

GET http://geoplugin.net/json.gp

Allocates read-write-execute memory (usually to unpack itself) (50 out of 269 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00900000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73971000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73972000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02070000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02170000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00425000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00427000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00416000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00417000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00791000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00792000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00793000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00794000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00795000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00796000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00797000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00798000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0081f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00810000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00799000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0079a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006bf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02290000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02291000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02292000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02293000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00811000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02294000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02295000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02296000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00812000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02297000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02298000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

InstallUtil.exe tried to sleep 288 seconds, actually delayed analysis time by 288 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (3 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW June 28, 2022, 9:18 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 28, 2022, 9:18 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 28, 2022, 9:18 a.m.	number_of_free_clusters: 2498841 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1

Steals private information from local Internet browsers (50 out of 66 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Floc\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Floc\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Login Data

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
cmdline	Powershell -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 28, 2022, 9:18 a.m.	show_type: 0 filepath_r: Powershell parameters: -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA== filepath: Powershell	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (3 events)

Time & API	Arguments	Status	Return
Process32NextW June 28, 2022, 9:18 a.m.	snapshot_handle: 0x00000130 process_name: pw.exe process_identifier: 1588	1	1
Process32NextW June 28, 2022, 9:18 a.m.	snapshot_handle: 0x00000130 process_name: taskhost.exe process_identifier: 2184	1	1
Process32NextW June 28, 2022, 9:18 a.m.	snapshot_handle: 0x00000130 process_name: InstallUtil.exe process_identifier: 2884	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x000af800', u'virtual_address': u'0x00002000', u'entropy': 7.998440767877275, u'name': u'.text', u'virtual_size': u'0x000af7c4'}

entropy

7.99844076788

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00015a00', u'virtual_address': u'0x000b2000', u'entropy': 7.383967251071401, u'name': u'.rsrc', u'virtual_size': u'0x00015a00'}

entropy

7.38396725107

description

A section with a high entropy has been found

entropy

0.999366286439

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW June 28, 2022, 9:18 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 28, 2022, 9:18 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 28, 2022, 9:18 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (49 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Run a KeyLogger	rule	KeyLogger
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	browser info stealer	rule	infoStealer_browser_Zero
description	File Downloader	rule	Network_Downloader
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (1 event)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExA June 28, 2022, 9:18 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian		2	0

Allocates execute permission to another process indicative of possible code injection (4 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2676 region_size: 503808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000380	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2884 region_size: 491520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002c8	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2944 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002c8	1
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 3008 region_size: 356352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002c8	1

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Fhzjx

reg_value

"C:\Users\test22\AppData\Roaming\Wcmxjutqc\Fhzjx.exe"

Harvests information related to installed instant messenger clients (5 events)

file	C:\Users\test22\AppData\Roaming\Digsby\digsby.dat
file	C:\Users\test22\AppData\Roaming\MySpace\IM\users.txt
registry	HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords
registry	HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
registry	HKEY_CURRENT_USER\Software\Paltalk

Potential code injection by writing to the memory of another process (15 events)

Time & API	Arguments	Status	Return
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ýð2w\$\$\$- $\$- ¯$?\$- ®$\$éØ$\$1$\$¢Ï_%\$¢ÏY%£\$¢ÏX%»\$éÏ$\$]$µ\$ÏU%Æ\$Ï£$\$Ï^%\$Rich\$PEL+¼bà0=@@°8ð TKp8ð{8\|(\|@@°.text½.0 `.rdatap@r4@@.data¼?À¦@À.tls ´@À.gfids0¶@@.rsrcTK Lº@@.reloc8p:@B base_address: 0x00400000 process_identifier: 2676 process_handle: 0x00000380	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ lEpEjE..pÁFLÖFLÖFLÖFLÖFLÖFLÖFLÖFLÖFLÖFtÁFPÖFPÖFPÖFPÖFPÖFPÖFPÖFxÁFÿÿÿÿpEÂFÂFÂFÂFÂFxÁFðEpE¸EØÁFpÇFCPSTPDT ÂFàÂFÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZpÇFþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨3ðqFãAüqF!ArF¨AtFE.?AVtype_info@@tFE.?AVbad_alloc@std@@tFE.?AVbad_array_new_length@std@@tFE.?AVlogic_error@std@@tFE.?AVlength_error@std@@tFE.?AVout_of_range@std@@tFE.?AV_Facet_base@std@@tFE.?AV_Locimp@locale@std@@tFE.?AVfacet@locale@std@@tFE.?AU_Crt_new_delete@std@@tFE.?AVcodecvt_base@std@@tFE.?AUctype_base@std@@tFE.?AV?$ctype@D@std@@tFE.?AV?$codecvt@DDU_Mbstatet@@@std@@tFE.?AVbad_exception@std@@tFE.HtFE.?AVfailure@ios_base@std@@tFE.?AVruntime_error@std@@tFE.?AVsystem_error@std@@tFE.?AVbad_cast@std@@tFE.?AV_System_error@std@@tFE.?AVexception@std@@ base_address: 0x0046c000 process_identifier: 2676 process_handle: 0x00000380	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: base_address: 0x00470000 process_identifier: 2676 process_handle: 0x00000380	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: eüJüg>¿Ùg>'g>Ig>{° a·`C^CÏ¸¾¸_g>g>MãLáOÍÇqÃ{ß{ß@AþC¦~Á£ýÔç×4ÞàÜÆM) % b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x00471000 process_identifier: 2676 process_handle: 0x00000380	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2676 process_handle: 0x00000380	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: MZ@ÿÿ¸ º´ Í!¸LÍ!Win32 .EXE. $@PEL´Ë^àÐètbà@!f `tpð`X.MPRESS1Pöàà.MPRESS2Þ `øàà.rsrcp@Àv2.19 base_address: 0x00400000 process_identifier: 2884 process_handle: 0x000002c8	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: ð`\|að`ü`aü`aaaa§aaaÄaaaäaa$a÷a$a,a b,a4a&b4a<aAb<aDa[bDaXakaa³aÐaïabb3bMbebGetModuleHandleAGetProcAddressKERNEL32.DLLmsvcrt.dllabsCOMCTL32.dllVERSION.dllVerQueryValueWWININET.dllFindCloseUrlCacheUSER32.dllGetDCGDI32.dllSetBkModecomdlg32.dllFindTextWADVAPI32.dllRegCloseKeySHELL32.dllSHGetMallocole32.dllCoInitialize`èXZ0ð+ÀþfÁàÈP+ÈñÈWQID91uö+À¬Èáð$Ááè¬ÈQÍ½ýÿÿÓåYXÜ¤lñÿÿQ+ÉQQÌQfÁâRWÁQPÁVQè^ã^Z+À2´+Ð+É;Ês&Ù¬A$þ<èuòCÁÀx;ÂsåëÃxßÂ+ÃFüëÖè_ÇMÿÿÿ°éª¸V«èX é UWVSì\|$ÇD$tÆD$s¬$BD$x¸¶JØÓãËIL$l¶JÓàHD$h$¨¶2ÇEÇD$`Ç¸t$dÇD$\ÇD$XÇD$TÇD$P¶JÎÓà69L$tsD$xfÇÀâö$3ÿÇD$HÿÿÿÿÓ$T$L3Ò;\$L} ¶ÁçBCøú~ç$¤9L$te t$t#t$lD$`T$xÁàt$DÆ\|$Hÿÿÿ,Bw;\$L- Ád$H¶ÁçCøD$HfUÁè·Ê¯Á;øÝD$H¸+ÁL$dÁø¾¶T$sfED$t#D$hl$xÓà¹+L$dÓúÂiÀ\|$`(lD$ÊD$t+D$\$ ¶D$@Ñd$@L$@6l$á\|$HÿÿÿDML$<,w;\$LaÁd$H¶ÁçCøD$HfÁè·ñ¯Æ;øs#D$H¸+ÆòÁø\|$<ft"ë.)D$H+øÁrfÁèf+È\|$<ftþÿWÿÿÿëyþÿq6l$ê\|$Hÿÿÿw;\$LÅÁd$H¶ÁçCøD$HfMÁè·ñ¯Æ;øsD$H¸+ÆòÁøfEë)D$H+øÁrfÁèf+ÈfMëT$tÆ$ D$sB\|$`T$t ÇD$`é\|$` l$`él$`éL$H+øt$`+ÈÂfÁèf+ÐùÿÿÿfUl$xtut$8w;\$Lò¶ÁçÁáCøl$8ÁÁèf·ê¯Å;øsRð¸+Ål$XÁøL$TT$8L$PL$xfD$\l$TD$X3À\|$`ÀÁd@D$`étñ+ø+ðÂfÁèL$8f+Ðþÿÿÿfw;\$LN¶ÁçÁæCøl$8ÖÁêf·Á¯Ð;úã½ò+èÇD$4ÅÁøL$8fD$`L$DÁàD$xúÿÿÿ,Hw;\$LÜ¶ÁçÁæCøfàÆÁè·Ê¯Á;øs`)L$4Á\|$4t$4D$H\|$tfà3À\|$`¬$ T$tÀD D$`D$t+D$\(D$sDBT$té2+ð+øÂfÁèf+ÐfàéÁ+òfÁèl$8f+È+úþÿÿÿfw;\$L¶ÁçÁæCøL$8ÆÁèf°·Ê¯Á;øs#ð¸+Ál$8Áøf°D$Xé Î+ø+ÈÂfÁèf+ÐD$8ùÿÿÿf°w;\$L¢¶ÁçÁáCøt$8ÁÁèfÈ·ê¯Å;øs ð¸+Ål$8ÁøfÈD$Të&ñ+ø+ðÂfÁèf+ÐD$8fÈT$TD$PT$PL$XL$Tl$\D$\l$X3À\|$`L$xÀÁh D@D$`þÿÿÿw;\$Lô¶ÁçÁæCøfÆÁè·ê¯Å;øs/D$H¸+ÅÁd$DÁøÇD$,fD$DLL$ër+ð+øÂfÁèf+Ðþÿÿÿfw;\$L¶ÁçÁæCøfQÆÁè·ê¯Å;øs;D$H¸+ÅÁd$DÁøÇD$,T$DfA L$ÇD$0ë/+ð+øÂt$HfÁèÇD$,f+ÐÇD$0fQÁL$L$0ºL$(,t$õ\|$Hÿÿÿw;\$LÒÁd$H¶ÁçCøD$HfÁè·Ê¯Á;øsD$H¸+ÁÁøÕfë)D$H+øÂfÁèf+ÐfUt$(Nt$(uL$0¸Óà+ÐT$,\|$`T$çD$`úÂ~¸t$xÁàÇD$$0`D$¸,t$õ\|$Hÿÿÿw;\$LÁd$H¶ÁçCøD$HfÁè·Ê¯Á;øsD$H¸+ÁÁøfÅë)D$H+øÂfÁèf+ÐEfl$$Ml$$uPÀú$'ÂòÑøæHÿÎú L$ l$xÓæÒ4$Du+Â^D$ëVPû\|$Hÿÿÿw;\$LWÁd$H¶ÁçCøÑl$Hö;\|$Hr+\|$HÎJuÈD$xÁæ4$DÇD$ D$ÇD$¸l$ÀD$è\|$Hÿÿÿw;\$LëÁd$H¶ÁçCøD$HfUÁè·ò¯Æ;øsD$H¸+ÆÁøfED$ë)D$H+øÂfÁèf+ÐD$fUT$@ $L$ Ñd$IL$ pÿÿÿ4$Ft$\tZL$l$tÁ9l$\w`$ Õ+D$\$ tFD$sBÿD$tIt¬$¤9l$trâë$¤9D$tºöÿÿ\|$Hÿÿÿw;\$L¸t)ë¸ë C+$3À$L$t$¨Ä\|[^_]Ãéä þÿ,¢øÿMs base_address: 0x00476000 process_identifier: 2884 process_handle: 0x000002c8	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: (0p`BIN2H ` 2@ä Ð ø# &H'p/0À?è@R8 èàH4ä KVä 8lLXä `ÄLöä ¼MÚä °NDä ØÜN ä üOºä (¸Pbä PQhäx r\|ä\|4VS_VERSION_INFO½ïþ?ÚStringFileInfo¶040904b00CompanyNameNirSoft`FileDescriptionWeb Browser Password Viewer*FileVersion2.06LInternalNameWeb Browser Pass Viewh"LegalCopyrightCopyright © 2011 - 2020 Nir Sofer.ProductVersion2.06DVarFileInfo$Translation ° base_address: 0x00477000 process_identifier: 2884 process_handle: 0x000002c8	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2884 process_handle: 0x000002c8	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: MZ@ÿÿ¸ º´ Í!¸LÍ!Win32 .EXE. $@PEL»üiTà2¶"P@@÷ 0È H.MPRESS1Öàà.MPRESS2p Øàà.rsrc0æ@Àv2.19 base_address: 0x00400000 process_identifier: 2944 process_handle: 0x000002c8	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: È D!È Ô Q!Ô Ü b!Ü ä o!ä ì !ì ô !ô ü ¸!ü !Ó!!!í!! !3!\!z!!¥!Å!ß!÷!GetModuleHandleAGetProcAddressKERNEL32.DLLmsvcrt.dllabsCOMCTL32.dllUSER32.dllGetDCGDI32.dllSetBkModecomdlg32.dllGetSaveFileNameAADVAPI32.dllRegEnumKeyASHELL32.dllSHGetMallocole32.dllCoInitialize`èXZ0ð+ÀþfÁàÈP+ÈñÈWQID91uö+À¬Èáð$Ááè¬ÈQÍ½ýÿÿÓåYXÜ¤lñÿÿQ+ÉQQÌQfÁâRWÁQPÁVQè^ã^Z+À2´+Ð+É;Ês&Ù¬A$þ<èuòCÁÀx;ÂsåëÃxßÂ+ÃFüëÖè_ÇMÿÿÿ°éª¸V«èX é UWVSì\|$ÇD$tÆD$s¬$BD$x¸¶JØÓãËIL$l¶JÓàHD$h$¨¶2ÇEÇD$`Ç¸t$dÇD$\ÇD$XÇD$TÇD$P¶JÎÓà69L$tsD$xfÇÀâö$3ÿÇD$HÿÿÿÿÓ$T$L3Ò;\$L} ¶ÁçBCøú~ç$¤9L$te t$t#t$lD$`T$xÁàt$DÆ\|$Hÿÿÿ,Bw;\$L- Ád$H¶ÁçCøD$HfUÁè·Ê¯Á;øÝD$H¸+ÁL$dÁø¾¶T$sfED$t#D$hl$xÓà¹+L$dÓúÂiÀ\|$`(lD$ÊD$t+D$\$ ¶D$@Ñd$@L$@6l$á\|$HÿÿÿDML$<,w;\$LaÁd$H¶ÁçCøD$HfÁè·ñ¯Æ;øs#D$H¸+ÆòÁø\|$<ft"ë.)D$H+øÁrfÁèf+È\|$<ftþÿWÿÿÿëyþÿq6l$ê\|$Hÿÿÿw;\$LÅÁd$H¶ÁçCøD$HfMÁè·ñ¯Æ;øsD$H¸+ÆòÁøfEë)D$H+øÁrfÁèf+ÈfMëT$tÆ$ D$sB\|$`T$t ÇD$`é\|$` l$`él$`éL$H+øt$`+ÈÂfÁèf+ÐùÿÿÿfUl$xtut$8w;\$Lò¶ÁçÁáCøl$8ÁÁèf·ê¯Å;øsRð¸+Ål$XÁøL$TT$8L$PL$xfD$\l$TD$X3À\|$`ÀÁd@D$`étñ+ø+ðÂfÁèL$8f+Ðþÿÿÿfw;\$LN¶ÁçÁæCøl$8ÖÁêf·Á¯Ð;úã½ò+èÇD$4ÅÁøL$8fD$`L$DÁàD$xúÿÿÿ,Hw;\$LÜ¶ÁçÁæCøfàÆÁè·Ê¯Á;øs`)L$4Á\|$4t$4D$H\|$tfà3À\|$`¬$ T$tÀD D$`D$t+D$\(D$sDBT$té2+ð+øÂfÁèf+ÐfàéÁ+òfÁèl$8f+È+úþÿÿÿfw;\$L¶ÁçÁæCøL$8ÆÁèf°·Ê¯Á;øs#ð¸+Ál$8Áøf°D$Xé Î+ø+ÈÂfÁèf+ÐD$8ùÿÿÿf°w;\$L¢¶ÁçÁáCøt$8ÁÁèfÈ·ê¯Å;øs ð¸+Ål$8ÁøfÈD$Të&ñ+ø+ðÂfÁèf+ÐD$8fÈT$TD$PT$PL$XL$Tl$\D$\l$X3À\|$`L$xÀÁh D@D$`þÿÿÿw;\$Lô¶ÁçÁæCøfÆÁè·ê¯Å;øs/D$H¸+ÅÁd$DÁøÇD$,fD$DLL$ër+ð+øÂfÁèf+Ðþÿÿÿfw;\$L¶ÁçÁæCøfQÆÁè·ê¯Å;øs;D$H¸+ÅÁd$DÁøÇD$,T$DfA L$ÇD$0ë/+ð+øÂt$HfÁèÇD$,f+ÐÇD$0fQÁL$L$0ºL$(,t$õ\|$Hÿÿÿw;\$LÒÁd$H¶ÁçCøD$HfÁè·Ê¯Á;øsD$H¸+ÁÁøÕfë)D$H+øÂfÁèf+ÐfUt$(Nt$(uL$0¸Óà+ÐT$,\|$`T$çD$`úÂ~¸t$xÁàÇD$$0`D$¸,t$õ\|$Hÿÿÿw;\$LÁd$H¶ÁçCøD$HfÁè·Ê¯Á;øsD$H¸+ÁÁøfÅë)D$H+øÂfÁèf+ÐEfl$$Ml$$uPÀú$'ÂòÑøæHÿÎú L$ l$xÓæÒ4$Du+Â^D$ëVPû\|$Hÿÿÿw;\$LWÁd$H¶ÁçCøÑl$Hö;\|$Hr+\|$HÎJuÈD$xÁæ4$DÇD$ D$ÇD$¸l$ÀD$è\|$Hÿÿÿw;\$LëÁd$H¶ÁçCøD$HfUÁè·ò¯Æ;øsD$H¸+ÆÁøfED$ë)D$H+øÂfÁèf+ÐD$fUT$@ $L$ Ñd$IL$ pÿÿÿ4$Ft$\tZL$l$tÁ9l$\w`$ Õ+D$\$ tFD$sBÿD$tIt¬$¤9l$trâë$¤9D$tºöÿÿ\|$Hÿÿÿw;\$L¸t)ë¸ë C+$3À$L$t$¨Ä\|[^_]Ãé ÿÿâýÿMs base_address: 0x00422000 process_identifier: 2944 process_handle: 0x000002c8	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2944 process_handle: 0x000002c8	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: MZ@ÿÿ¸ º´ Í!¸LÍ!Win32 .EXE. $@PEL;à]à:â8RP@p#ù P8`ÜPP.MPRESS1@´àà.MPRESS2¢ P¶àà.rsrc`Ä@Àv2.19 base_address: 0x00400000 process_identifier: 3008 process_handle: 0x000002c8	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: ÜP`QÜPèPmQèPðP~QðPøPQøPQ¨QQQ»QQQÑQQQêQQ QR Q(QR(Q<QOQxQQ³QÅQÞQ÷QR)RGetModuleHandleAGetProcAddressKERNEL32.DLLmsvcrt.dlllogCOMCTL32.dllRPCRT4.dllUuidFromStringAUSER32.dllGetDCGDI32.dllSetBkModecomdlg32.dllFindTextAADVAPI32.dllRegEnumKeyASHELL32.dllSHGetMallocole32.dllCoInitialize`èXZ0ð+ÀþfÁàÈP+ÈñÈWQID91uö+À¬Èáð$Ááè¬ÈQÍ½ýÿÿÓåYXÜ¤lñÿÿQ+ÉQQÌQfÁâRWÁQPÁVQè^ã^Z+À2´+Ð+É;Ês&Ù¬A$þ<èuòCÁÀx;ÂsåëÃxßÂ+ÃFüëÖè_ÇMÿÿÿ°éª¸V«èX é UWVSì\|$ÇD$tÆD$s¬$BD$x¸¶JØÓãËIL$l¶JÓàHD$h$¨¶2ÇEÇD$`Ç¸t$dÇD$\ÇD$XÇD$TÇD$P¶JÎÓà69L$tsD$xfÇÀâö$3ÿÇD$HÿÿÿÿÓ$T$L3Ò;\$L} ¶ÁçBCøú~ç$¤9L$te t$t#t$lD$`T$xÁàt$DÆ\|$Hÿÿÿ,Bw;\$L- Ád$H¶ÁçCøD$HfUÁè·Ê¯Á;øÝD$H¸+ÁL$dÁø¾¶T$sfED$t#D$hl$xÓà¹+L$dÓúÂiÀ\|$`(lD$ÊD$t+D$\$ ¶D$@Ñd$@L$@6l$á\|$HÿÿÿDML$<,w;\$LaÁd$H¶ÁçCøD$HfÁè·ñ¯Æ;øs#D$H¸+ÆòÁø\|$<ft"ë.)D$H+øÁrfÁèf+È\|$<ftþÿWÿÿÿëyþÿq6l$ê\|$Hÿÿÿw;\$LÅÁd$H¶ÁçCøD$HfMÁè·ñ¯Æ;øsD$H¸+ÆòÁøfEë)D$H+øÁrfÁèf+ÈfMëT$tÆ$ D$sB\|$`T$t ÇD$`é\|$` l$`él$`éL$H+øt$`+ÈÂfÁèf+ÐùÿÿÿfUl$xtut$8w;\$Lò¶ÁçÁáCøl$8ÁÁèf·ê¯Å;øsRð¸+Ål$XÁøL$TT$8L$PL$xfD$\l$TD$X3À\|$`ÀÁd@D$`étñ+ø+ðÂfÁèL$8f+Ðþÿÿÿfw;\$LN¶ÁçÁæCøl$8ÖÁêf·Á¯Ð;úã½ò+èÇD$4ÅÁøL$8fD$`L$DÁàD$xúÿÿÿ,Hw;\$LÜ¶ÁçÁæCøfàÆÁè·Ê¯Á;øs`)L$4Á\|$4t$4D$H\|$tfà3À\|$`¬$ T$tÀD D$`D$t+D$\(D$sDBT$té2+ð+øÂfÁèf+ÐfàéÁ+òfÁèl$8f+È+úþÿÿÿfw;\$L¶ÁçÁæCøL$8ÆÁèf°·Ê¯Á;øs#ð¸+Ál$8Áøf°D$Xé Î+ø+ÈÂfÁèf+ÐD$8ùÿÿÿf°w;\$L¢¶ÁçÁáCøt$8ÁÁèfÈ·ê¯Å;øs ð¸+Ål$8ÁøfÈD$Të&ñ+ø+ðÂfÁèf+ÐD$8fÈT$TD$PT$PL$XL$Tl$\D$\l$X3À\|$`L$xÀÁh D@D$`þÿÿÿw;\$Lô¶ÁçÁæCøfÆÁè·ê¯Å;øs/D$H¸+ÅÁd$DÁøÇD$,fD$DLL$ër+ð+øÂfÁèf+Ðþÿÿÿfw;\$L¶ÁçÁæCøfQÆÁè·ê¯Å;øs;D$H¸+ÅÁd$DÁøÇD$,T$DfA L$ÇD$0ë/+ð+øÂt$HfÁèÇD$,f+ÐÇD$0fQÁL$L$0ºL$(,t$õ\|$Hÿÿÿw;\$LÒÁd$H¶ÁçCøD$HfÁè·Ê¯Á;øsD$H¸+ÁÁøÕfë)D$H+øÂfÁèf+ÐfUt$(Nt$(uL$0¸Óà+ÐT$,\|$`T$çD$`úÂ~¸t$xÁàÇD$$0`D$¸,t$õ\|$Hÿÿÿw;\$LÁd$H¶ÁçCøD$HfÁè·Ê¯Á;øsD$H¸+ÁÁøfÅë)D$H+øÂfÁèf+ÐEfl$$Ml$$uPÀú$'ÂòÑøæHÿÎú L$ l$xÓæÒ4$Du+Â^D$ëVPû\|$Hÿÿÿw;\$LWÁd$H¶ÁçCøÑl$Hö;\|$Hr+\|$HÎJuÈD$xÁæ4$DÇD$ D$ÇD$¸l$ÀD$è\|$Hÿÿÿw;\$LëÁd$H¶ÁçCøD$HfUÁè·ò¯Æ;øsD$H¸+ÆÁøfED$ë)D$H+øÂfÁèf+ÐD$fUT$@ $L$ Ñd$IL$ pÿÿÿ4$Ft$\tZL$l$tÁ9l$\w`$ Õ+D$\$ tFD$sBÿD$tIt¬$¤9l$trâë$¤9D$tºöÿÿ\|$Hÿÿÿw;\$L¸t)ë¸ë C+$3À$L$t$¨Ä\|[^_]Ãé5ìþÿh²úÿMs base_address: 0x00455000 process_identifier: 3008 process_handle: 0x000002c8	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3008 process_handle: 0x000002c8	1	1

Code injection by writing an executable or DLL to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ýð2w\$\$\$- $\$- ¯$?\$- ®$\$éØ$\$1$\$¢Ï_%\$¢ÏY%£\$¢ÏX%»\$éÏ$\$]$µ\$ÏU%Æ\$Ï£$\$Ï^%\$Rich\$PEL+¼bà0=@@°8ð TKp8ð{8\|(\|@@°.text½.0 `.rdatap@r4@@.data¼?À¦@À.tls ´@À.gfids0¶@@.rsrcTK Lº@@.reloc8p:@B base_address: 0x00400000 process_identifier: 2676 process_handle: 0x00000380	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: MZ@ÿÿ¸ º´ Í!¸LÍ!Win32 .EXE. $@PEL´Ë^àÐètbà@!f `tpð`X.MPRESS1Pöàà.MPRESS2Þ `øàà.rsrcp@Àv2.19 base_address: 0x00400000 process_identifier: 2884 process_handle: 0x000002c8	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: MZ@ÿÿ¸ º´ Í!¸LÍ!Win32 .EXE. $@PEL»üiTà2¶"P@@÷ 0È H.MPRESS1Öàà.MPRESS2p Øàà.rsrc0æ@Àv2.19 base_address: 0x00400000 process_identifier: 2944 process_handle: 0x000002c8	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: MZ@ÿÿ¸ º´ Í!¸LÍ!Win32 .EXE. $@PEL;à]à:â8RP@p#ù P8`ÜPP.MPRESS1@´àà.MPRESS2¢ P¶àà.rsrc`Ä@Àv2.19 base_address: 0x00400000 process_identifier: 3008 process_handle: 0x000002c8	1	1

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA June 28, 2022, 9:18 a.m.	thread_identifier: 0 callback_function: 0x00408a5e hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	393701	0

Harvests credentials from local email clients (7 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
registry	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary\POP3 User
registry	HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (8 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2352 called NtSetContextThread to modify thread in remote process 2676
Process injection	Process 2676 called NtSetContextThread to modify thread in remote process 2884
Process injection	Process 2676 called NtSetContextThread to modify thread in remote process 2944
Process injection	Process 2676 called NtSetContextThread to modify thread in remote process 3008
NtSetContextThread June 28, 2022, 9:18 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4395837 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000390 process_identifier: 2676	1	0	0
NtSetContextThread June 28, 2022, 9:18 a.m.	registers.eip: 1999372740 registers.esp: 3734876 registers.edi: 0 registers.eax: 4678260 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000019c process_identifier: 2884	1	0	0
NtSetContextThread June 28, 2022, 9:18 a.m.	registers.eip: 1999372740 registers.esp: 1571928 registers.edi: 0 registers.eax: 4334086 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000019c process_identifier: 2944	1	0	0
NtSetContextThread June 28, 2022, 9:18 a.m.	registers.eip: 1999372740 registers.esp: 3735108 registers.edi: 0 registers.eax: 4543032 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000019c process_identifier: 3008	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (8 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2352 resumed a thread in remote process 2676
Process injection	Process 2676 resumed a thread in remote process 2884
Process injection	Process 2676 resumed a thread in remote process 2944
Process injection	Process 2676 resumed a thread in remote process 3008
NtResumeThread June 28, 2022, 9:18 a.m.	thread_handle: 0x00000390 suspend_count: 1 process_identifier: 2676	1	0	0
NtResumeThread June 28, 2022, 9:18 a.m.	thread_handle: 0x0000019c suspend_count: 1 process_identifier: 2884	1	0	0
NtResumeThread June 28, 2022, 9:18 a.m.	thread_handle: 0x0000019c suspend_count: 1 process_identifier: 2944	1	0	0
NtResumeThread June 28, 2022, 9:18 a.m.	thread_handle: 0x0000019c suspend_count: 1 process_identifier: 3008	1	0	0

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

Bkav	W32.AIDetectNet.01
MicroWorld-eScan	Gen:Variant.Strictor.6291
FireEye	Generic.mg.d39d493b27584c9c
ALYac	Gen:Variant.Strictor.6291
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
Cybereason	malicious.b27584
Arcabit	Trojan.Strictor.D1893
Elastic	malicious (high confidence)
APEX	Malicious
BitDefender	Gen:Variant.Strictor.6291
Ad-Aware	Gen:Variant.Strictor.6291
Emsisoft	Gen:Variant.Strictor.6291 (B)
McAfee-GW-Edition	BehavesLike.Win32.Generic.bc
Trapmine	malicious.moderate.ml.score
Sophos	Generic ML PUA (PUA)
SentinelOne	Static AI - Malicious PE
Avira	TR/Dropper.MSIL.Gen
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Gen:Variant.Strictor.6291
Cynet	Malicious (score: 100)
Acronis	suspicious
MAX	malware (ai score=88)
Malwarebytes	Malware.AI.70571527
Rising	Trojan.FakeFolder/ICON!1.6ABA (CLASSIC)
Ikarus	Trojan.MSIL.Injector
MaxSecure	Trojan.Malware.300983.susgen
BitDefenderTheta	Gen:NN.ZemsilF.34742.Xm0@aS8uDEf
CrowdStrike	win/malicious_confidence_100% (D)

Executed a process and injected code into it, probably while unpacking (50 out of 54 events)

Time & API	Arguments	Status	Return
NtResumeThread June 28, 2022, 9:18 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2352	1	0
NtResumeThread June 28, 2022, 9:18 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2352	1	0
NtResumeThread June 28, 2022, 9:18 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2352	1	0
CreateProcessInternalW June 28, 2022, 9:18 a.m.	thread_identifier: 2468 thread_handle: 0x0000038c process_identifier: 2464 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA== filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000394	1	1
CreateProcessInternalW June 28, 2022, 9:18 a.m.	thread_identifier: 2680 thread_handle: 0x00000390 process_identifier: 2676 current_directory: filepath: track: 1 command_line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000380	1	1
NtGetContextThread June 28, 2022, 9:18 a.m.	thread_handle: 0x00000390	1	0
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2676 region_size: 503808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000380	1	0
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ýð2w\$\$\$- $\$- ¯$?\$- ®$\$éØ$\$1$\$¢Ï_%\$¢ÏY%£\$¢ÏX%»\$éÏ$\$]$µ\$ÏU%Æ\$Ï£$\$Ï^%\$Rich\$PEL+¼bà0=@@°8ð TKp8ð{8\|(\|@@°.text½.0 `.rdatap@r4@@.data¼?À¦@À.tls ´@À.gfids0¶@@.rsrcTK Lº@@.reloc8p:@B base_address: 0x00400000 process_identifier: 2676 process_handle: 0x00000380	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: base_address: 0x00401000 process_identifier: 2676 process_handle: 0x00000380	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: base_address: 0x00454000 process_identifier: 2676 process_handle: 0x00000380	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ lEpEjE..pÁFLÖFLÖFLÖFLÖFLÖFLÖFLÖFLÖFLÖFtÁFPÖFPÖFPÖFPÖFPÖFPÖFPÖFxÁFÿÿÿÿpEÂFÂFÂFÂFÂFxÁFðEpE¸EØÁFpÇFCPSTPDT ÂFàÂFÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZpÇFþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨3ðqFãAüqF!ArF¨AtFE.?AVtype_info@@tFE.?AVbad_alloc@std@@tFE.?AVbad_array_new_length@std@@tFE.?AVlogic_error@std@@tFE.?AVlength_error@std@@tFE.?AVout_of_range@std@@tFE.?AV_Facet_base@std@@tFE.?AV_Locimp@locale@std@@tFE.?AVfacet@locale@std@@tFE.?AU_Crt_new_delete@std@@tFE.?AVcodecvt_base@std@@tFE.?AUctype_base@std@@tFE.?AV?$ctype@D@std@@tFE.?AV?$codecvt@DDU_Mbstatet@@@std@@tFE.?AVbad_exception@std@@tFE.HtFE.?AVfailure@ios_base@std@@tFE.?AVruntime_error@std@@tFE.?AVsystem_error@std@@tFE.?AVbad_cast@std@@tFE.?AV_System_error@std@@tFE.?AVexception@std@@ base_address: 0x0046c000 process_identifier: 2676 process_handle: 0x00000380	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: base_address: 0x00470000 process_identifier: 2676 process_handle: 0x00000380	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: eüJüg>¿Ùg>'g>Ig>{° a·`C^CÏ¸¾¸_g>g>MãLáOÍÇqÃ{ß{ß@AþC¦~Á£ýÔç×4ÞàÜÆM) % b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x00471000 process_identifier: 2676 process_handle: 0x00000380	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: base_address: 0x00472000 process_identifier: 2676 process_handle: 0x00000380	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: base_address: 0x00477000 process_identifier: 2676 process_handle: 0x00000380	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2676 process_handle: 0x00000380	1	1
NtSetContextThread June 28, 2022, 9:18 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4395837 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000390 process_identifier: 2676	1	0
NtResumeThread June 28, 2022, 9:18 a.m.	thread_handle: 0x00000390 suspend_count: 1 process_identifier: 2676	1	0
NtResumeThread June 28, 2022, 9:18 a.m.	thread_handle: 0x00000298 suspend_count: 1 process_identifier: 2464	1	0
NtResumeThread June 28, 2022, 9:18 a.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 2464	1	0
NtResumeThread June 28, 2022, 9:18 a.m.	thread_handle: 0x00000438 suspend_count: 1 process_identifier: 2464	1	0
NtResumeThread June 28, 2022, 9:18 a.m.	thread_handle: 0x00000484 suspend_count: 1 process_identifier: 2464	1	0
CreateProcessInternalW June 28, 2022, 9:18 a.m.	thread_identifier: 2888 thread_handle: 0x0000019c process_identifier: 2884 current_directory: filepath: track: 1 command_line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /stext "C:\Users\test22\AppData\Local\Temp\eeghiqcgh" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002c8	1	1
NtGetContextThread June 28, 2022, 9:18 a.m.	thread_handle: 0x0000019c	1	0
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2884 region_size: 491520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002c8	1	0
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: MZ@ÿÿ¸ º´ Í!¸LÍ!Win32 .EXE. $@PEL´Ë^àÐètbà@!f `tpð`X.MPRESS1Pöàà.MPRESS2Þ `øàà.rsrcp@Àv2.19 base_address: 0x00400000 process_identifier: 2884 process_handle: 0x000002c8	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: base_address: 0x00401000 process_identifier: 2884 process_handle: 0x000002c8	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: ð`\|að`ü`aü`aaaa§aaaÄaaaäaa$a÷a$a,a b,a4a&b4a<aAb<aDa[bDaXakaa³aÐaïabb3bMbebGetModuleHandleAGetProcAddressKERNEL32.DLLmsvcrt.dllabsCOMCTL32.dllVERSION.dllVerQueryValueWWININET.dllFindCloseUrlCacheUSER32.dllGetDCGDI32.dllSetBkModecomdlg32.dllFindTextWADVAPI32.dllRegCloseKeySHELL32.dllSHGetMallocole32.dllCoInitialize`èXZ0ð+ÀþfÁàÈP+ÈñÈWQID91uö+À¬Èáð$Ááè¬ÈQÍ½ýÿÿÓåYXÜ¤lñÿÿQ+ÉQQÌQfÁâRWÁQPÁVQè^ã^Z+À2´+Ð+É;Ês&Ù¬A$þ<èuòCÁÀx;ÂsåëÃxßÂ+ÃFüëÖè_ÇMÿÿÿ°éª¸V«èX é UWVSì\|$ÇD$tÆD$s¬$BD$x¸¶JØÓãËIL$l¶JÓàHD$h$¨¶2ÇEÇD$`Ç¸t$dÇD$\ÇD$XÇD$TÇD$P¶JÎÓà69L$tsD$xfÇÀâö$3ÿÇD$HÿÿÿÿÓ$T$L3Ò;\$L} ¶ÁçBCøú~ç$¤9L$te t$t#t$lD$`T$xÁàt$DÆ\|$Hÿÿÿ,Bw;\$L- Ád$H¶ÁçCøD$HfUÁè·Ê¯Á;øÝD$H¸+ÁL$dÁø¾¶T$sfED$t#D$hl$xÓà¹+L$dÓúÂiÀ\|$`(lD$ÊD$t+D$\$ ¶D$@Ñd$@L$@6l$á\|$HÿÿÿDML$<,w;\$LaÁd$H¶ÁçCøD$HfÁè·ñ¯Æ;øs#D$H¸+ÆòÁø\|$<ft"ë.)D$H+øÁrfÁèf+È\|$<ftþÿWÿÿÿëyþÿq6l$ê\|$Hÿÿÿw;\$LÅÁd$H¶ÁçCøD$HfMÁè·ñ¯Æ;øsD$H¸+ÆòÁøfEë)D$H+øÁrfÁèf+ÈfMëT$tÆ$ D$sB\|$`T$t ÇD$`é\|$` l$`él$`éL$H+øt$`+ÈÂfÁèf+ÐùÿÿÿfUl$xtut$8w;\$Lò¶ÁçÁáCøl$8ÁÁèf·ê¯Å;øsRð¸+Ål$XÁøL$TT$8L$PL$xfD$\l$TD$X3À\|$`ÀÁd@D$`étñ+ø+ðÂfÁèL$8f+Ðþÿÿÿfw;\$LN¶ÁçÁæCøl$8ÖÁêf·Á¯Ð;úã½ò+èÇD$4ÅÁøL$8fD$`L$DÁàD$xúÿÿÿ,Hw;\$LÜ¶ÁçÁæCøfàÆÁè·Ê¯Á;øs`)L$4Á\|$4t$4D$H\|$tfà3À\|$`¬$ T$tÀD D$`D$t+D$\(D$sDBT$té2+ð+øÂfÁèf+ÐfàéÁ+òfÁèl$8f+È+úþÿÿÿfw;\$L¶ÁçÁæCøL$8ÆÁèf°·Ê¯Á;øs#ð¸+Ál$8Áøf°D$Xé Î+ø+ÈÂfÁèf+ÐD$8ùÿÿÿf°w;\$L¢¶ÁçÁáCøt$8ÁÁèfÈ·ê¯Å;øs ð¸+Ål$8ÁøfÈD$Të&ñ+ø+ðÂfÁèf+ÐD$8fÈT$TD$PT$PL$XL$Tl$\D$\l$X3À\|$`L$xÀÁh D@D$`þÿÿÿw;\$Lô¶ÁçÁæCøfÆÁè·ê¯Å;øs/D$H¸+ÅÁd$DÁøÇD$,fD$DLL$ër+ð+øÂfÁèf+Ðþÿÿÿfw;\$L¶ÁçÁæCøfQÆÁè·ê¯Å;øs;D$H¸+ÅÁd$DÁøÇD$,T$DfA L$ÇD$0ë/+ð+øÂt$HfÁèÇD$,f+ÐÇD$0fQÁL$L$0ºL$(,t$õ\|$Hÿÿÿw;\$LÒÁd$H¶ÁçCøD$HfÁè·Ê¯Á;øsD$H¸+ÁÁøÕfë)D$H+øÂfÁèf+ÐfUt$(Nt$(uL$0¸Óà+ÐT$,\|$`T$çD$`úÂ~¸t$xÁàÇD$$0`D$¸,t$õ\|$Hÿÿÿw;\$LÁd$H¶ÁçCøD$HfÁè·Ê¯Á;øsD$H¸+ÁÁøfÅë)D$H+øÂfÁèf+ÐEfl$$Ml$$uPÀú$'ÂòÑøæHÿÎú L$ l$xÓæÒ4$Du+Â^D$ëVPû\|$Hÿÿÿw;\$LWÁd$H¶ÁçCøÑl$Hö;\|$Hr+\|$HÎJuÈD$xÁæ4$DÇD$ D$ÇD$¸l$ÀD$è\|$Hÿÿÿw;\$LëÁd$H¶ÁçCøD$HfUÁè·ò¯Æ;øsD$H¸+ÆÁøfED$ë)D$H+øÂfÁèf+ÐD$fUT$@ $L$ Ñd$IL$ pÿÿÿ4$Ft$\tZL$l$tÁ9l$\w`$ Õ+D$\$ tFD$sBÿD$tIt¬$¤9l$trâë$¤9D$tºöÿÿ\|$Hÿÿÿw;\$L¸t)ë¸ë C+$3À$L$t$¨Ä\|[^_]Ãéä þÿ,¢øÿMs base_address: 0x00476000 process_identifier: 2884 process_handle: 0x000002c8	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: (0p`BIN2H ` 2@ä Ð ø# &H'p/0À?è@R8 èàH4ä KVä 8lLXä `ÄLöä ¼MÚä °NDä ØÜN ä üOºä (¸Pbä PQhäx r\|ä\|4VS_VERSION_INFO½ïþ?ÚStringFileInfo¶040904b00CompanyNameNirSoft`FileDescriptionWeb Browser Password Viewer*FileVersion2.06LInternalNameWeb Browser Pass Viewh"LegalCopyrightCopyright © 2011 - 2020 Nir Sofer.ProductVersion2.06DVarFileInfo$Translation ° base_address: 0x00477000 process_identifier: 2884 process_handle: 0x000002c8	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2884 process_handle: 0x000002c8	1	1
NtSetContextThread June 28, 2022, 9:18 a.m.	registers.eip: 1999372740 registers.esp: 3734876 registers.edi: 0 registers.eax: 4678260 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000019c process_identifier: 2884	1	0
NtResumeThread June 28, 2022, 9:18 a.m.	thread_handle: 0x0000019c suspend_count: 1 process_identifier: 2884	1	0
CreateProcessInternalW June 28, 2022, 9:18 a.m.	thread_identifier: 2948 thread_handle: 0x0000019c process_identifier: 2944 current_directory: filepath: track: 1 command_line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /stext "C:\Users\test22\AppData\Local\Temp\pyuriinavenvg" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002c8	1	1
NtGetContextThread June 28, 2022, 9:18 a.m.	thread_handle: 0x0000019c	1	0
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 2944 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002c8	1	0
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: MZ@ÿÿ¸ º´ Í!¸LÍ!Win32 .EXE. $@PEL»üiTà2¶"P@@÷ 0È H.MPRESS1Öàà.MPRESS2p Øàà.rsrc0æ@Àv2.19 base_address: 0x00400000 process_identifier: 2944 process_handle: 0x000002c8	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: base_address: 0x00401000 process_identifier: 2944 process_handle: 0x000002c8	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: È D!È Ô Q!Ô Ü b!Ü ä o!ä ì !ì ô !ô ü ¸!ü !Ó!!!í!! !3!\!z!!¥!Å!ß!÷!GetModuleHandleAGetProcAddressKERNEL32.DLLmsvcrt.dllabsCOMCTL32.dllUSER32.dllGetDCGDI32.dllSetBkModecomdlg32.dllGetSaveFileNameAADVAPI32.dllRegEnumKeyASHELL32.dllSHGetMallocole32.dllCoInitialize`èXZ0ð+ÀþfÁàÈP+ÈñÈWQID91uö+À¬Èáð$Ááè¬ÈQÍ½ýÿÿÓåYXÜ¤lñÿÿQ+ÉQQÌQfÁâRWÁQPÁVQè^ã^Z+À2´+Ð+É;Ês&Ù¬A$þ<èuòCÁÀx;ÂsåëÃxßÂ+ÃFüëÖè_ÇMÿÿÿ°éª¸V«èX é UWVSì\|$ÇD$tÆD$s¬$BD$x¸¶JØÓãËIL$l¶JÓàHD$h$¨¶2ÇEÇD$`Ç¸t$dÇD$\ÇD$XÇD$TÇD$P¶JÎÓà69L$tsD$xfÇÀâö$3ÿÇD$HÿÿÿÿÓ$T$L3Ò;\$L} ¶ÁçBCøú~ç$¤9L$te t$t#t$lD$`T$xÁàt$DÆ\|$Hÿÿÿ,Bw;\$L- Ád$H¶ÁçCøD$HfUÁè·Ê¯Á;øÝD$H¸+ÁL$dÁø¾¶T$sfED$t#D$hl$xÓà¹+L$dÓúÂiÀ\|$`(lD$ÊD$t+D$\$ ¶D$@Ñd$@L$@6l$á\|$HÿÿÿDML$<,w;\$LaÁd$H¶ÁçCøD$HfÁè·ñ¯Æ;øs#D$H¸+ÆòÁø\|$<ft"ë.)D$H+øÁrfÁèf+È\|$<ftþÿWÿÿÿëyþÿq6l$ê\|$Hÿÿÿw;\$LÅÁd$H¶ÁçCøD$HfMÁè·ñ¯Æ;øsD$H¸+ÆòÁøfEë)D$H+øÁrfÁèf+ÈfMëT$tÆ$ D$sB\|$`T$t ÇD$`é\|$` l$`él$`éL$H+øt$`+ÈÂfÁèf+ÐùÿÿÿfUl$xtut$8w;\$Lò¶ÁçÁáCøl$8ÁÁèf·ê¯Å;øsRð¸+Ål$XÁøL$TT$8L$PL$xfD$\l$TD$X3À\|$`ÀÁd@D$`étñ+ø+ðÂfÁèL$8f+Ðþÿÿÿfw;\$LN¶ÁçÁæCøl$8ÖÁêf·Á¯Ð;úã½ò+èÇD$4ÅÁøL$8fD$`L$DÁàD$xúÿÿÿ,Hw;\$LÜ¶ÁçÁæCøfàÆÁè·Ê¯Á;øs`)L$4Á\|$4t$4D$H\|$tfà3À\|$`¬$ T$tÀD D$`D$t+D$\(D$sDBT$té2+ð+øÂfÁèf+ÐfàéÁ+òfÁèl$8f+È+úþÿÿÿfw;\$L¶ÁçÁæCøL$8ÆÁèf°·Ê¯Á;øs#ð¸+Ál$8Áøf°D$Xé Î+ø+ÈÂfÁèf+ÐD$8ùÿÿÿf°w;\$L¢¶ÁçÁáCøt$8ÁÁèfÈ·ê¯Å;øs ð¸+Ål$8ÁøfÈD$Të&ñ+ø+ðÂfÁèf+ÐD$8fÈT$TD$PT$PL$XL$Tl$\D$\l$X3À\|$`L$xÀÁh D@D$`þÿÿÿw;\$Lô¶ÁçÁæCøfÆÁè·ê¯Å;øs/D$H¸+ÅÁd$DÁøÇD$,fD$DLL$ër+ð+øÂfÁèf+Ðþÿÿÿfw;\$L¶ÁçÁæCøfQÆÁè·ê¯Å;øs;D$H¸+ÅÁd$DÁøÇD$,T$DfA L$ÇD$0ë/+ð+øÂt$HfÁèÇD$,f+ÐÇD$0fQÁL$L$0ºL$(,t$õ\|$Hÿÿÿw;\$LÒÁd$H¶ÁçCøD$HfÁè·Ê¯Á;øsD$H¸+ÁÁøÕfë)D$H+øÂfÁèf+ÐfUt$(Nt$(uL$0¸Óà+ÐT$,\|$`T$çD$`úÂ~¸t$xÁàÇD$$0`D$¸,t$õ\|$Hÿÿÿw;\$LÁd$H¶ÁçCøD$HfÁè·Ê¯Á;øsD$H¸+ÁÁøfÅë)D$H+øÂfÁèf+ÐEfl$$Ml$$uPÀú$'ÂòÑøæHÿÎú L$ l$xÓæÒ4$Du+Â^D$ëVPû\|$Hÿÿÿw;\$LWÁd$H¶ÁçCøÑl$Hö;\|$Hr+\|$HÎJuÈD$xÁæ4$DÇD$ D$ÇD$¸l$ÀD$è\|$Hÿÿÿw;\$LëÁd$H¶ÁçCøD$HfUÁè·ò¯Æ;øsD$H¸+ÆÁøfED$ë)D$H+øÂfÁèf+ÐD$fUT$@ $L$ Ñd$IL$ pÿÿÿ4$Ft$\tZL$l$tÁ9l$\w`$ Õ+D$\$ tFD$sBÿD$tIt¬$¤9l$trâë$¤9D$tºöÿÿ\|$Hÿÿÿw;\$L¸t)ë¸ë C+$3À$L$t$¨Ä\|[^_]Ãé ÿÿâýÿMs base_address: 0x00422000 process_identifier: 2944 process_handle: 0x000002c8	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: base_address: 0x00423000 process_identifier: 2944 process_handle: 0x000002c8	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2944 process_handle: 0x000002c8	1	1
NtSetContextThread June 28, 2022, 9:18 a.m.	registers.eip: 1999372740 registers.esp: 1571928 registers.edi: 0 registers.eax: 4334086 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000019c process_identifier: 2944	1	0
NtResumeThread June 28, 2022, 9:18 a.m.	thread_handle: 0x0000019c suspend_count: 1 process_identifier: 2944	1	0
CreateProcessInternalW June 28, 2022, 9:18 a.m.	thread_identifier: 3012 thread_handle: 0x0000019c process_identifier: 3008 current_directory: filepath: track: 1 command_line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /stext "C:\Users\test22\AppData\Local\Temp\zazkjbgbjmfzqsno" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002c8	1	1
NtGetContextThread June 28, 2022, 9:18 a.m.	thread_handle: 0x0000019c	1	0
NtAllocateVirtualMemory June 28, 2022, 9:18 a.m.	process_identifier: 3008 region_size: 356352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002c8	1	0
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: MZ@ÿÿ¸ º´ Í!¸LÍ!Win32 .EXE. $@PEL;à]à:â8RP@p#ù P8`ÜPP.MPRESS1@´àà.MPRESS2¢ P¶àà.rsrc`Ä@Àv2.19 base_address: 0x00400000 process_identifier: 3008 process_handle: 0x000002c8	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: base_address: 0x00401000 process_identifier: 3008 process_handle: 0x000002c8	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: ÜP`QÜPèPmQèPðP~QðPøPQøPQ¨QQQ»QQQÑQQQêQQ QR Q(QR(Q<QOQxQQ³QÅQÞQ÷QR)RGetModuleHandleAGetProcAddressKERNEL32.DLLmsvcrt.dlllogCOMCTL32.dllRPCRT4.dllUuidFromStringAUSER32.dllGetDCGDI32.dllSetBkModecomdlg32.dllFindTextAADVAPI32.dllRegEnumKeyASHELL32.dllSHGetMallocole32.dllCoInitialize`èXZ0ð+ÀþfÁàÈP+ÈñÈWQID91uö+À¬Èáð$Ááè¬ÈQÍ½ýÿÿÓåYXÜ¤lñÿÿQ+ÉQQÌQfÁâRWÁQPÁVQè^ã^Z+À2´+Ð+É;Ês&Ù¬A$þ<èuòCÁÀx;ÂsåëÃxßÂ+ÃFüëÖè_ÇMÿÿÿ°éª¸V«èX é UWVSì\|$ÇD$tÆD$s¬$BD$x¸¶JØÓãËIL$l¶JÓàHD$h$¨¶2ÇEÇD$`Ç¸t$dÇD$\ÇD$XÇD$TÇD$P¶JÎÓà69L$tsD$xfÇÀâö$3ÿÇD$HÿÿÿÿÓ$T$L3Ò;\$L} ¶ÁçBCøú~ç$¤9L$te t$t#t$lD$`T$xÁàt$DÆ\|$Hÿÿÿ,Bw;\$L- Ád$H¶ÁçCøD$HfUÁè·Ê¯Á;øÝD$H¸+ÁL$dÁø¾¶T$sfED$t#D$hl$xÓà¹+L$dÓúÂiÀ\|$`(lD$ÊD$t+D$\$ ¶D$@Ñd$@L$@6l$á\|$HÿÿÿDML$<,w;\$LaÁd$H¶ÁçCøD$HfÁè·ñ¯Æ;øs#D$H¸+ÆòÁø\|$<ft"ë.)D$H+øÁrfÁèf+È\|$<ftþÿWÿÿÿëyþÿq6l$ê\|$Hÿÿÿw;\$LÅÁd$H¶ÁçCøD$HfMÁè·ñ¯Æ;øsD$H¸+ÆòÁøfEë)D$H+øÁrfÁèf+ÈfMëT$tÆ$ D$sB\|$`T$t ÇD$`é\|$` l$`él$`éL$H+øt$`+ÈÂfÁèf+ÐùÿÿÿfUl$xtut$8w;\$Lò¶ÁçÁáCøl$8ÁÁèf·ê¯Å;øsRð¸+Ål$XÁøL$TT$8L$PL$xfD$\l$TD$X3À\|$`ÀÁd@D$`étñ+ø+ðÂfÁèL$8f+Ðþÿÿÿfw;\$LN¶ÁçÁæCøl$8ÖÁêf·Á¯Ð;úã½ò+èÇD$4ÅÁøL$8fD$`L$DÁàD$xúÿÿÿ,Hw;\$LÜ¶ÁçÁæCøfàÆÁè·Ê¯Á;øs`)L$4Á\|$4t$4D$H\|$tfà3À\|$`¬$ T$tÀD D$`D$t+D$\(D$sDBT$té2+ð+øÂfÁèf+ÐfàéÁ+òfÁèl$8f+È+úþÿÿÿfw;\$L¶ÁçÁæCøL$8ÆÁèf°·Ê¯Á;øs#ð¸+Ál$8Áøf°D$Xé Î+ø+ÈÂfÁèf+ÐD$8ùÿÿÿf°w;\$L¢¶ÁçÁáCøt$8ÁÁèfÈ·ê¯Å;øs ð¸+Ål$8ÁøfÈD$Të&ñ+ø+ðÂfÁèf+ÐD$8fÈT$TD$PT$PL$XL$Tl$\D$\l$X3À\|$`L$xÀÁh D@D$`þÿÿÿw;\$Lô¶ÁçÁæCøfÆÁè·ê¯Å;øs/D$H¸+ÅÁd$DÁøÇD$,fD$DLL$ër+ð+øÂfÁèf+Ðþÿÿÿfw;\$L¶ÁçÁæCøfQÆÁè·ê¯Å;øs;D$H¸+ÅÁd$DÁøÇD$,T$DfA L$ÇD$0ë/+ð+øÂt$HfÁèÇD$,f+ÐÇD$0fQÁL$L$0ºL$(,t$õ\|$Hÿÿÿw;\$LÒÁd$H¶ÁçCøD$HfÁè·Ê¯Á;øsD$H¸+ÁÁøÕfë)D$H+øÂfÁèf+ÐfUt$(Nt$(uL$0¸Óà+ÐT$,\|$`T$çD$`úÂ~¸t$xÁàÇD$$0`D$¸,t$õ\|$Hÿÿÿw;\$LÁd$H¶ÁçCøD$HfÁè·Ê¯Á;øsD$H¸+ÁÁøfÅë)D$H+øÂfÁèf+ÐEfl$$Ml$$uPÀú$'ÂòÑøæHÿÎú L$ l$xÓæÒ4$Du+Â^D$ëVPû\|$Hÿÿÿw;\$LWÁd$H¶ÁçCøÑl$Hö;\|$Hr+\|$HÎJuÈD$xÁæ4$DÇD$ D$ÇD$¸l$ÀD$è\|$Hÿÿÿw;\$LëÁd$H¶ÁçCøD$HfUÁè·ò¯Æ;øsD$H¸+ÆÁøfED$ë)D$H+øÂfÁèf+ÐD$fUT$@ $L$ Ñd$IL$ pÿÿÿ4$Ft$\tZL$l$tÁ9l$\w`$ Õ+D$\$ tFD$sBÿD$tIt¬$¤9l$trâë$¤9D$tºöÿÿ\|$Hÿÿÿw;\$L¸t)ë¸ë C+$3À$L$t$¨Ä\|[^_]Ãé5ìþÿh²úÿMs base_address: 0x00455000 process_identifier: 3008 process_handle: 0x000002c8	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: base_address: 0x00456000 process_identifier: 3008 process_handle: 0x000002c8	1	1
WriteProcessMemory June 28, 2022, 9:18 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3008 process_handle: 0x000002c8	1	1

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All