Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 25, 2023, 3:51 a.m.	Jan. 25, 2023, 4:10 a.m.

Size	1.6MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`49090fa137c16750bc4883a15bc136c0`
SHA256	`b1a5b664300ebe7d44ae27b9bae5b44c74faf5cf6b049a69127534ba55a43930`
CRC32	`A88B2195`
ssdeep	`24576:qWM8HgMQjZVeSyEG7sCZ1cO0WEKh3uYErwLzdNi8nraFVOVXrtKq+oh:S8MZkSisTHW/3uYF0FVutDh`
Yara	IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature

DTL067520003470xls.exe "C:\Users\test22\AppData\Local\Temp\DTL067520003470xls.exe"
724
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2164
- DTL067520003470xls.exe C:\Users\test22\AppData\Local\Temp\DTL067520003470xls.exe
  2696

Name	Response	Post-Analysis Lookup
api.ipify.org	A 64.185.227.155 CNAME api4.ipify.org A 104.237.62.211 A 173.231.16.76	104.237.62.211

IP Address	Status	Action
104.237.62.211	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49167 -> 104.237.62.211:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49167 104.237.62.211:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.ipify.org	19:d7:90:9b:94:40:47:10:c8:4d:0f:e1:85:86:d5:0f:1c:15:9e:f4

Queries for the computername (11 events)

Time & API	Arguments	Status	Return
GetComputerNameW Jan. 25, 2023, 3:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 25, 2023, 3:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 25, 2023, 3:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 25, 2023, 3:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 25, 2023, 3:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 25, 2023, 3:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 25, 2023, 3:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 25, 2023, 4:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 25, 2023, 4:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 25, 2023, 4:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 25, 2023, 4:08 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 25, 2023, 3:51 a.m.			0	0
IsDebuggerPresent Jan. 25, 2023, 3:51 a.m.			0	0
IsDebuggerPresent Jan. 25, 2023, 3:51 a.m.			0	0
IsDebuggerPresent Jan. 25, 2023, 4:08 a.m.			0	0
IsDebuggerPresent Jan. 25, 2023, 4:08 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (47 events)

Time & API	Arguments	Status	Return
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00629200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00629200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00629040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00629040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00505e40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00505b80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00505b80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00505b80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00505b80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00505b80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00505b80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506680 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506680 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506680 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506000 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506680 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506680 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506680 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506680 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506680 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506680 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506680 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506880 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506880 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506880 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506880 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506880 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506880 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506880 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506880 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506880 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506880 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506880 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506880 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506880 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506880 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506300 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 3:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00506300 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 4:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00a31358 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 4:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00a31358 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 25, 2023, 4:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0098ace8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 25, 2023, 3:51 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Jan. 25, 2023, 4:08 a.m.	stacktrace: 0x850924 0x850848 0x850706 0x850060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc ff 15 1c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x853c0d registers.esp: 5763160 registers.edi: 5763184 registers.eax: 0 registers.ebp: 5763196 registers.edx: 195 registers.ebx: 40640700 registers.esi: 40644660 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Jan. 25, 2023, 4:08 a.m.

stacktrace:

0x850924
0x850848
0x850706
0x850060
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745df5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc ff 15 1c
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x853c0d
registers.esp: 5763160
registers.edi: 5763184
registers.eax: 0
registers.ebp: 5763196
registers.edx: 195
registers.ebx: 40640700
registers.esi: 40644660
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET https://api.ipify.org/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 315 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00780000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02000000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02050000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00705000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0070b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00707000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02051000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02052000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0209f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02090000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02053000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006ee000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02056000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0205f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02100000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02101000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02103000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02104000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02105000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02106000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02091000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02107000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02108000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02109000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02092000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02110000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0210a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0210b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02093000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0210c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0210d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0210e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02111000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02094000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0210f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02120000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02121000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Looks up the external IP address (1 event)

domain

api.ipify.org

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	powershell -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Jan. 25, 2023, 3:51 a.m.	show_type: 0 filepath_r: powershell parameters: -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== filepath: powershell	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Jan. 25, 2023, 4:08 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00168600', u'virtual_address': u'0x00002000', u'entropy': 7.999168187552223, u'name': u'.text', u'virtual_size': u'0x001684c4'}

entropy

7.99916818755

description

A section with a high entropy has been found

entropy

0.897013067828

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Jan. 25, 2023, 3:51 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Jan. 25, 2023, 3:51 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (10 events)

description	Run a KeyLogger	rule	KeyLogger
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 2696 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000394	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Jan. 25, 2023, 4:09 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Efjolqt

reg_value

"C:\Users\test22\AppData\Roaming\Zhlztcpehzh\Efjolqt.exe"

Harvests credentials from local FTP client softwares (5 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect
file	C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
registry	HKEY_CURRENT_USER\SOFTWARE\FTPWare\COREFTP\Sites

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Jan. 25, 2023, 3:51 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL SÎcà0Î¨ @ @¨KÀFà H.textÔ `.rsrcFÀ@@.relocà@B base_address: 0x00400000 process_identifier: 2696 process_handle: 0x00000394	1	1
WriteProcessMemory Jan. 25, 2023, 3:51 a.m.	buffer: P8h À¼\Ãê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion1.0.0.0t)InternalName09e02ed2-6710-4625-addd-3706bab2f529.exe(LegalCopyright \|)OriginalFilename09e02ed2-6710-4625-addd-3706bab2f529.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042c000 process_identifier: 2696 process_handle: 0x00000394	1	1
WriteProcessMemory Jan. 25, 2023, 3:51 a.m.	buffer: Ð8 base_address: 0x0042e000 process_identifier: 2696 process_handle: 0x00000394	1	1
WriteProcessMemory Jan. 25, 2023, 3:51 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2696 process_handle: 0x00000394	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Jan. 25, 2023, 3:51 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL SÎcà0Î¨ @ @¨KÀFà H.textÔ `.rsrcFÀ@@.relocà@B base_address: 0x00400000 process_identifier: 2696 process_handle: 0x00000394	1	1	0

Harvests credentials from local email clients (6 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 724 called NtSetContextThread to modify thread in remote process 2696
NtSetContextThread Jan. 25, 2023, 3:51 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4368590 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000388 process_identifier: 2696	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 724 resumed a thread in remote process 2696
NtResumeThread Jan. 25, 2023, 3:51 a.m.	thread_handle: 0x00000388 suspend_count: 1 process_identifier: 2696	1	0	0

Executed a process and injected code into it, probably while unpacking (28 events)

Time & API	Arguments	Status	Return
NtResumeThread Jan. 25, 2023, 3:51 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 724	1	0
NtResumeThread Jan. 25, 2023, 3:51 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 724	1	0
NtResumeThread Jan. 25, 2023, 3:51 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 724	1	0
CreateProcessInternalW Jan. 25, 2023, 3:51 a.m.	thread_identifier: 2168 thread_handle: 0x00000384 process_identifier: 2164 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000038c	1	1
CreateProcessInternalW Jan. 25, 2023, 3:51 a.m.	thread_identifier: 2700 thread_handle: 0x00000388 process_identifier: 2696 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\DTL067520003470xls.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000394	1	1
NtGetContextThread Jan. 25, 2023, 3:51 a.m.	thread_handle: 0x00000388	1	0
NtAllocateVirtualMemory Jan. 25, 2023, 3:51 a.m.	process_identifier: 2696 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000394	1	0
WriteProcessMemory Jan. 25, 2023, 3:51 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL SÎcà0Î¨ @ @¨KÀFà H.textÔ `.rsrcFÀ@@.relocà@B base_address: 0x00400000 process_identifier: 2696 process_handle: 0x00000394	1	1
WriteProcessMemory Jan. 25, 2023, 3:51 a.m.	buffer: base_address: 0x00402000 process_identifier: 2696 process_handle: 0x00000394	1	1
WriteProcessMemory Jan. 25, 2023, 3:51 a.m.	buffer: P8h À¼\Ãê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion1.0.0.0t)InternalName09e02ed2-6710-4625-addd-3706bab2f529.exe(LegalCopyright \|)OriginalFilename09e02ed2-6710-4625-addd-3706bab2f529.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042c000 process_identifier: 2696 process_handle: 0x00000394	1	1
WriteProcessMemory Jan. 25, 2023, 3:51 a.m.	buffer: Ð8 base_address: 0x0042e000 process_identifier: 2696 process_handle: 0x00000394	1	1
WriteProcessMemory Jan. 25, 2023, 3:51 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2696 process_handle: 0x00000394	1	1
NtSetContextThread Jan. 25, 2023, 3:51 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4368590 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000388 process_identifier: 2696	1	0
NtResumeThread Jan. 25, 2023, 3:51 a.m.	thread_handle: 0x00000388 suspend_count: 1 process_identifier: 2696	1	0
NtResumeThread Jan. 25, 2023, 3:51 a.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 2164	1	0
NtResumeThread Jan. 25, 2023, 3:51 a.m.	thread_handle: 0x000002fc suspend_count: 1 process_identifier: 2164	1	0
NtResumeThread Jan. 25, 2023, 3:51 a.m.	thread_handle: 0x00000448 suspend_count: 1 process_identifier: 2164	1	0
NtResumeThread Jan. 25, 2023, 3:51 a.m.	thread_handle: 0x00000494 suspend_count: 1 process_identifier: 2164	1	0
NtResumeThread Jan. 25, 2023, 4:08 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2696	1	0
NtResumeThread Jan. 25, 2023, 4:08 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2696	1	0
NtResumeThread Jan. 25, 2023, 4:08 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2696	1	0
NtResumeThread Jan. 25, 2023, 4:08 a.m.	thread_handle: 0x0000027c suspend_count: 1 process_identifier: 2696	1	0
NtResumeThread Jan. 25, 2023, 4:08 a.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 2696	1	0
NtResumeThread Jan. 25, 2023, 4:08 a.m.	thread_handle: 0x00000364 suspend_count: 1 process_identifier: 2696	1	0
NtResumeThread Jan. 25, 2023, 4:08 a.m.	thread_handle: 0x00000394 suspend_count: 1 process_identifier: 2696	1	0
NtResumeThread Jan. 25, 2023, 4:08 a.m.	thread_handle: 0x000004d8 suspend_count: 1 process_identifier: 2696	1	0
NtResumeThread Jan. 25, 2023, 4:08 a.m.	thread_handle: 0x00000718 suspend_count: 1 process_identifier: 2696	1	0
NtResumeThread Jan. 25, 2023, 4:08 a.m.	thread_handle: 0x0000072c suspend_count: 1 process_identifier: 2696	1	0

File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 events)

Bkav	W32.AIDetectNet.01
Lionic	Trojan.Win32.Generic.4!c
tehtris	Generic.Malware
MicroWorld-eScan	Gen:Variant.Barys.22132
FireEye	Generic.mg.49090fa137c16750
ALYac	Gen:Variant.Barys.22132
Malwarebytes	Trojan.MCrypt.MSIL.Generic
VIPRE	Gen:Variant.Barys.22132
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.46992a
Arcabit	Trojan.Barys.D5674
BitDefenderTheta	Gen:NN.ZemsilF.36212.Kn0@aq!kTBg
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.OOW
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.Barys.22132
Avast	Win32:PWSX-gen [Trj]
Tencent	Win32.Trojan.Agen.Zolw
Emsisoft	Gen:Variant.Barys.22132 (B)
McAfee-GW-Edition	Artemis!Trojan
Trapmine	suspicious.low.ml.score
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Avira	HEUR/AGEN.1234927
Microsoft	Trojan:Win32/Woreflint.A!cl
GData	Gen:Variant.Barys.22132
Google	Detected
Acronis	suspicious
McAfee	Artemis!49090FA137C1
MAX	malware (ai score=84)
Cylance	Unsafe
TrendMicro-HouseCall	TROJ_GEN.F0D1C00AO23
Rising	Malware.Obfus/MSIL@AI.98 (RDM.MSIL2:Jv44iKyu0QWMgIdeNhRqLw)
Ikarus	Gen.MSIL.Bladabindi
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:PWSX-gen [Trj]

DTL067520003470xls.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All