Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 29, 2022, 9:11 a.m.	July 29, 2022, 9:13 a.m.

Size	378.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`0de5fa8a3cf1f68ad13f6e051563a150`
SHA256	`a4faa35bb882c7bab6630d2776ed6a68d1560fbce7d13aea2b3c49e9cab04277`
CRC32	`E7BCAC86`
ssdeep	`6144:GylUqd4XaTcYQP9XYmsTDfExwnpgVVU5e2t1Ay8JjhQp:Gyl/d4KTc9IJn8ygI+y8JjhQp`
Yara	IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Is_DotNET_EXE - (no description) UPX_Zero - UPX packed file Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet PE_Header_Zero - PE File Signature

upnp_enc.exe "C:\Users\test22\AppData\Local\Temp\upnp_enc.exe"
2372
- upnp.exe "C:\Users\test22\AppData\Local\Temp\upnp.exe"
  2488
  - powershell.exe powershell Add-MpPreference -ExclusionPath C:\
    2612
  - cmd.exe "C:\Windows\System32\cmd.exe"
    2712
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
mercenarywarzone.ddns.net

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:60117 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 29, 2022, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 29, 2022, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 29, 2022, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 29, 2022, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 29, 2022, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 29, 2022, 9:11 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 29, 2022, 9:11 a.m.			0	0
IsDebuggerPresent July 29, 2022, 9:11 a.m.			0	0
IsDebuggerPresent July 29, 2022, 9:11 a.m.			0	0
IsDebuggerPresent July 29, 2022, 9:11 a.m.			0	0

Command line console output was observed (11 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 29, 2022, 9:11 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW July 29, 2022, 9:11 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW July 29, 2022, 9:11 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW July 29, 2022, 9:11 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW July 29, 2022, 9:11 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\ console_handle: 0x00000053	1	1
WriteConsoleW July 29, 2022, 9:11 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW July 29, 2022, 9:11 a.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW July 29, 2022, 9:11 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW July 29, 2022, 9:11 a.m.	buffer: Microsoft Windows [Version 6.1.7601] console_handle: 0x00000007	1	1
WriteConsoleW July 29, 2022, 9:11 a.m.	buffer: Copyright (c) 2009 Microsoft Corporation. All rights reserved. console_handle: 0x00000007	1	1
WriteConsoleW July 29, 2022, 9:11 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00308d68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003092e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003092e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003092e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00308e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00308e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00308e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00308e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00308e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00308e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003092e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003092e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003092e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003091e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003091e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003091e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00308e28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003091e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003091e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003091e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003091e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003091e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003091e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003091e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00308a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00308a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00308a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00308a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00308a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00308a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00308a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00308a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00308a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00308a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00308a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00308a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00308a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00308a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003096e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003096e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003096e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003096e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003096e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003096e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003096e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003096e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 29, 2022, 9:11 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

EDPENLIGHTENEDAPPINFOID

Connects to a Dynamic DNS Domain (1 event)

domain

mercenarywarzone.ddns.net

Allocates read-write-execute memory (usually to unpack itself) (50 out of 187 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73942000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00322000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0033c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00810000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00811000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00813000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00397000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00395000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00818000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00819000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02060000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02061000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02066000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0206b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02080000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02081000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02086000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02090000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02091000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02096000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02100000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02101000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02106000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02150000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02151000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02157000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0033d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0215c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007df000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0032a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0215d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0215e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00346000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0034a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00347000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01010000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:06 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000044a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW July 29, 2022, 9:06 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 10237759488 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0

Foreign language identified in PE resource (5 events)

name

EDPENLIGHTENEDAPPINFOID

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_NEUTRAL

offset

0x000601e8

size

0x00000002

name

RT_ICON

language

LANG_SERBIAN

filetype

dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 16776176, next used block 10526884

sublanguage

SUBLANG_NEUTRAL

offset

0x000601ec

size

0x000008a8

name

RT_GROUP_ICON

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_NEUTRAL

offset

0x00060a94

size

0x00000014

name

RT_VERSION

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_NEUTRAL

offset

0x00060aa8

size

0x00000380

name

RT_MANIFEST

language

LANG_SERBIAN

filetype

XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators

sublanguage

SUBLANG_NEUTRAL

offset

0x00060e28

size

0x000003e7

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat
file	C:\Users\test22\AppData\Local\Temp\upnp.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	powershell Add-MpPreference -ExclusionPath C:\
cmdline	C:\Windows\System32\cmd.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\upnp.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\upnp.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW July 29, 2022, 9:11 a.m.	thread_identifier: 2716 thread_handle: 0x000001f8 process_identifier: 2712 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001f4	1	1	0

Moves the original executable to a new location (1 event)

Time & API	Arguments	Status	Return	Repeated
MoveFileWithProgressW July 29, 2022, 9:11 a.m.	newfilepath_r: C:\Users\test22\AppData\Local\Temp\amdFFmaiAn.exe flags: 2 oldfilepath_r: C:\Users\test22\AppData\Local\Temp\upnp_enc.exe newfilepath: C:\Users\test22\AppData\Local\Temp\amdFFmaiAn.exe oldfilepath: C:\Users\test22\AppData\Local\Temp\upnp_enc.exe	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 29, 2022, 9:11 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW July 29, 2022, 9:11 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Creates an Alternate Data Stream (ADS) (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02050000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000200	1	0	0
NtProtectVirtualMemory July 29, 2022, 9:11 a.m.	process_identifier: 2712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02050000 process_handle: 0x00000200	1	0	0

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\upnp	reg_value	C:\Users\test22\AppData\Local\Temp\upnp.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 29, 2022, 9:11 a.m.	buffer: UìUEÈÒt ÆAêu÷]ÃUìd¡0ì@SVWxé§G03ö_,?EøB<}ôDxEðÀÁë3ÉÛt-}ø¾ÁÎ <aUø\| ÂÀàðëuøA;ËrßUü}ôEðL3ÛD ÂMìÉt<3ÿÊÀMøÑEè ÁÏ ¾ÁøBÉuñUü}øEø}ôÆ;Et EèC;]ìrÄWUüÒKÿÿÿ3À_^[ÉÂuðD$X·DÂëÝUìì¼ESVWXhLw&M ]¸èèþÿÿðÇEÄkern3ÀÇEÈel32EÐEÞEÄPÇEÌ.dllÇEàntdlÇEäl.dlfÇEèlÇEÔuserÇEØ32.dfÇEÜllfÇEø1fÇEü2ÿÖEàPÿÖEÔPÿÖhX¤SåèyþÿÿhyÌ?EèlþÿÿhEVEôè_þÿÿhDð5àEÀèRþÿÿhî¶PE¤èEþÿÿhÆREè8þÿÿh_xTîEðè+þÿÿhÚöÚOEèþÿÿøhÆp}´èþÿÿh_»ðèþÿÿh-W®[E¼èöýÿÿE¬3ÀPhjPPhSE¨ÿ×jEìPÿÖ]ø}°jh0WjÿÓðötîjE¨PW}ìVWÿU¼WÿUð>M]¸tjEøPPjÿUÀÆEhà.ÿU¤3À}«jDj«««DÿÿÿPèTýÿÿÄÿu jhÿÿÿUE¼ÀuOEPDÿÿÿP3ÀPPPPPPPSÿUôÀ¯PPjPPh@SE¸ÿU´øjÿÿtE¸ë^EüPPjÿUÀéeìMìQPÿU}ìtoEPDÿÿÿP3ÀPPPPPPPSÿUôÀuOPPjPPh@SEÿU´øjÿÿt*EPÿu°VWÿU¬WÿUðEPDÿÿÿP3ÀPPPPPPPSÿUôë EüPPjÿUÀÆEÿu¼ÿUð}åþÿÿ_^[ÉÃÁd×þà base_address: 0x02050000 process_identifier: 2712 process_handle: 0x00000200	1	1	0
WriteProcessMemory July 29, 2022, 9:11 a.m.	buffer: ¸ C:\Users\test22\AppData\Local\Temp\upnp.exeè:tèð4ð4P,pv\|,pv5NpÑñ4$igÿÿÿÿÿ<ð4 ñ4 ø4à^rvYÆ6§þÿÿÿ\|,pv 5pvè base_address: 0x02060000 process_identifier: 2712 process_handle: 0x00000200	1	1	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Local\Temp\upnp.exe:Zone.Identifier

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Bkav	W32.AIDetectNet.01
Lionic	Trojan.MSIL.Stealer.i!c
Cynet	Malicious (score: 99)
McAfee	GenericRXRU-WN!0DE5FA8A3CF1
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 005819c41 )
Alibaba	TrojanPSW:MSIL/AveMariaRAT.a5f8a723
K7GW	Trojan ( 005819c41 )
Cybereason	malicious.1b0acc
Arcabit	Trojan.Generic.D262E1A6
Cyren	W32/MSIL_Kryptik.HPL.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Injector.VRI
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-PSW.MSIL.Stealer.gen
BitDefender	Trojan.GenericKD.40034726
NANO-Antivirus	Trojan.Win32.Stealer.jqidfq
MicroWorld-eScan	Trojan.GenericKD.40034726
Avast	Win32:RATX-gen [Trj]
Tencent	Msil.Trojan-qqpass.Qqrob.Kgb
Ad-Aware	Trojan.GenericKD.40034726
Emsisoft	Trojan.GenericKD.40034726 (B)
DrWeb	Trojan.PWS.Maria.3
VIPRE	Trojan.GenericKD.40034726
TrendMicro	TROJ_GEN.R002C0PGM22
McAfee-GW-Edition	GenericRXRU-WN!0DE5FA8A3CF1
FireEye	Generic.mg.0de5fa8a3cf1f68a
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Avira	TR/Injector.yefao
Antiy-AVL	Trojan/Generic.ASMalwS.6EF0
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	Trojan:MSIL/AveMariaRAT.NYJ!MTB
GData	MSIL.Trojan-Dropper.Agent.BIX
AhnLab-V3	Trojan/Win.WN.C5212291
Acronis	suspicious
ALYac	Trojan.GenericKD.40034726
MAX	malware (ai score=100)
Malwarebytes	Backdoor.AveMaria
TrendMicro-HouseCall	TROJ_GEN.R002C0PGM22
Rising	Trojan.Generic/MSIL@AI.100 (RDM.MSIL:c0YxwEAO4WGLDuDlqrSRpw)
Ikarus	Trojan.MSIL.Injector
MaxSecure	Trojan.Malware.74396735.susgen
Fortinet	MSIL/Injector.VRN!tr
BitDefenderTheta	Gen:NN.ZemsilF.34806.xm0@aWeaQwlG
AVG	Win32:RATX-gen [Trj]
Panda	Trj/Chgt.AD

upnp_enc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All