Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 26, 2023, 10:46 a.m.	Jan. 26, 2023, 11:09 a.m.

Size	719.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`76218662ffd8397441fadb34d12de1cc`
SHA256	`7a0c3008b65ed5033cc3663e9104ed7b39707c2a073ef3626549e0acd64f15f2`
CRC32	`E7261494`
ssdeep	`12288:Frp6gxML2DQ8iFoFEyK0xlDxjIWD7+j3c1z3tTm9OrncN6lcQBb:FrfxMXSCp0r6WmjM1z39AAn`
Yara	IsPE32 - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature

PO_6733.exe "C:\Users\test22\AppData\Local\Temp\PO_6733.exe"
1880
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\ogOazdrNW.exe"
  2656
- schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ogOazdrNW" /XML "C:\Users\test22\AppData\Local\Temp\tmp55E6.tmp"
  2708
- PO_6733.exe "C:\Users\test22\AppData\Local\Temp\PO_6733.exe"
  2804

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
212.193.30.230	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW Jan. 26, 2023, 10:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2023, 10:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2023, 10:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2023, 10:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 26, 2023, 10:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2023, 10:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2023, 10:46 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 26, 2023, 10:46 a.m.			0	0
IsDebuggerPresent Jan. 26, 2023, 10:46 a.m.			0	0
IsDebuggerPresent Jan. 26, 2023, 10:46 a.m.			0	0
IsDebuggerPresent Jan. 26, 2023, 10:46 a.m.			0	0

Command line console output was observed (10 events)

Time & API	Arguments	Status	Return
WriteConsoleW Jan. 26, 2023, 10:46 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Jan. 26, 2023, 10:46 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Jan. 26, 2023, 10:46 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Jan. 26, 2023, 10:46 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Jan. 26, 2023, 10:46 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Roaming\ogOazdr console_handle: 0x00000053	1	1
WriteConsoleW Jan. 26, 2023, 10:46 a.m.	buffer: NW.exe console_handle: 0x0000005f	1	1
WriteConsoleW Jan. 26, 2023, 10:46 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW Jan. 26, 2023, 10:46 a.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Jan. 26, 2023, 10:46 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW Jan. 26, 2023, 10:46 a.m.	buffer: SUCCESS: The scheduled task "Updates\ogOazdrNW" has successfully been created. console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00399dc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00399f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00399f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00399f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00399708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00399708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00399708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00399708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00399708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00399708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00399f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00399f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00399f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039a488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039a488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039a488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039a188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039a488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039a488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039a488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039a488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039a488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039a488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039a488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039a248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039a248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039a248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039a248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039a248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039a248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039a248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039a248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039a248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039a248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039a248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039a248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039a248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039a248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039a2c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039a2c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039a2c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039a2c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039a2c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039a2c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039a2c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2023, 10:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039a2c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 26, 2023, 10:46 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 177 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00680000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00810000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00555000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00546000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f6c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00811000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f6d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f6e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0237f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02370000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f6f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x047a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x047a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x047a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x047a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x047a9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x047aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x047ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05b30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05b31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05b36000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05b37000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 2656 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02740000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e721000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0245a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e722000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02452000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02851000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 2656 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02852000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (4 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\ogOazdrNW.exe"
cmdline	schtasks.exe /Create /TN "Updates\ogOazdrNW" /XML "C:\Users\test22\AppData\Local\Temp\tmp55E6.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ogOazdrNW" /XML "C:\Users\test22\AppData\Local\Temp\tmp55E6.tmp"
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\ogOazdrNW.exe"

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Jan. 26, 2023, 10:46 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\ogOazdrNW.exe" filepath: powershell	1	1	0
ShellExecuteExW Jan. 26, 2023, 10:46 a.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\ogOazdrNW" /XML "C:\Users\test22\AppData\Local\Temp\tmp55E6.tmp" filepath: schtasks.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000b2600', u'virtual_address': u'0x00002000', u'entropy': 7.552388527460016, u'name': u'.text', u'virtual_size': u'0x000b24f4'}

entropy

7.55238852746

description

A section with a high entropy has been found

entropy

0.992350486787

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Jan. 26, 2023, 10:46 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (17 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	Communications use DNS	rule	Network_DNS
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Run a KeyLogger	rule	KeyLogger
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	browser info stealer	rule	infoStealer_browser_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	email clients info stealer	rule	infoStealer_emailClients_Zero

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks.exe /Create /TN "Updates\ogOazdrNW" /XML "C:\Users\test22\AppData\Local\Temp\tmp55E6.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ogOazdrNW" /XML "C:\Users\test22\AppData\Local\Temp\tmp55E6.tmp"

Communicates with host for which no DNS query was performed (1 event)

host

212.193.30.230

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 2804 region_size: 208896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002cc	1	0	0

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Jan. 26, 2023, 10:46 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELYI ^à xh-$ @0Ë ð;è Ð Ô.text P`.data\M N@`À.eh_framØp\@0@.bssf`À.edata;ðb@0@.idataèd@0À.relocÐ x@0B base_address: 0x00400000 process_identifier: 2804 process_handle: 0x000002cc	1	1
WriteProcessMemory Jan. 26, 2023, 10:46 a.m.	buffer: zR\|(ÿÿ9AAC qAÃAÆHÿÿ,C h`,ÿÿ,C hxDÿÿFC0B\|ÿÿFC0B¨´ÿÿ>C0zzR\| ÄÿÿaAC0\| AÃA @ÿÿaAC0\| AÃA d\ÿÿaAC0\| AÃA ¨ÿÿICZ ES EJzR\|\|¦ÿÿzR\|ÿÿ+C gzR\| ÿÿKDA}ÃEÆ0@¼ÿÿAACH AÃAÆAÇ,t(ÿÿ\AAN ÃAÆAHÃAÆT¤XÿÿAAACE@M AÃAÆAÇAÅAW EÃAÆAÇAÅE8üÿÿAACCCPAÃAÆAÇAÅ<8ôÿÿyAAFAC@hAÃAÆAÇAÅ4x4ÿÿþAAAC Ø AÃAÆAÇA °üÿÿAC x AÃA4ÔhÿÿAAAC0a AÃAÆAÇA4ÀÿÿAAAC0a AÃAÆAÇA4DÿÿAAAC0p AÃAÆAÇAzR\|<hÿÿÑAAAAC`0 CÃAÆAÇAÅAzR\|<ðÿÿ¸ACAAC@ AÃAÆAÇAÅA<\pÿÿqAAAACpt AÃAÆAÇAÅAzR\|<ÿÿ`AAAAC@2 AÃAÆAÇAÅAzR\|< ÿÿ?AB FÚ ÃAÆAÇAÅAµ ÃAÆAÇAÅA base_address: 0x00427000 process_identifier: 2804 process_handle: 0x000002cc	1	1
WriteProcessMemory Jan. 26, 2023, 10:46 a.m.	buffer: YI ^(ð(ð(ð(ð base_address: 0x0042f000 process_identifier: 2804 process_handle: 0x000002cc	1	1
WriteProcessMemory Jan. 26, 2023, 10:46 a.m.	buffer: X 00 0+010;0E0¦0Ä0Ë0å01Ý1ñ1 2%313\|34[4S5.688¬9´94:Ý:û<==¶=À=Ë=>Ç>û>?? ¨1õ34¤5P6\6l6\|66º6Þ6ç708x8ª8Ñ9$:´;Ã;Ò;ã;÷;<<¢<¹<Ë<r=~==©=»=í=ø=>(>Ò>Ú>á>è>ú>???(?0?7?>?P?[?b?i?????§?²?¹?À?Ö?Þ?å?ì?þ?0ô 0001%1;1E1[1b1v1111³1º1Ë1Ú1ä1ò122+252K2R2d2n2}222©2³2Â2Ì2Ú2÷23#353u333¯3í34424m4w44¤4µ5¼5Ð5Ú5í5ô56646;6V6`6p6w666±6¸6É6Ó6ê6ñ6777%7?7I7P7[7k7y7¡7¨7Ã7×7ð7ú78,8D8R8n888¢8¸8Í8×:ç:;);0;;º;ä;ø;<=¤=Å=Õ=ÿ=>Ó?ô?@`0)0M0f00 11 1{111§1®1µ1½1Ä1Õ1Ý1ä1ø12222&2-282A2H2U2\2i2r2y2222¡2¨2µ2¼2â2ë2ó2ù23 30373¹3Á3È3Õ3Ý3ä3ñ3ù34 44444A4M4d4q4~44¡4®4Ä4Ý4ô4û45!565á5666¾6ç6ï6ù6E77Î7Ö7â7ê788+8Q8¦8Â8ý89W9^9e9q9x999999¤9±9Ù9ø9::7:J:P:f:r:w:}:; ;\;d;~;¢;©;²;Æ;><K<R<W<c<j<q<%=4=C=¹=Ù=è=÷=>> >1>@>O>^>m>\|>>>©>¸>Ç>Ö>ô>ù>??4?9?Y?f??ª?¯?Px00£0µ0Ù0á0í0ô01 111-151=1D1d11¡1+8Ë89ú9::::¯:º:À:;';@;H;M;Z;É;ì;÷;t<<<©=Ú=â=ì=ÿ=> >><>C>_>y>È>`,22Ã3Ê3ô355Ç5v6k8¤8Á8Ù8`9¥9c:G;b;;p0d0«0Ã0ã0 1P1ò1M3¦3&6.7g777Ã78ù8(<J<>À§0²1Ç1Ú1ä12h2Ï2î2L3£3464U4a44é4M5566616?6¨6®6ï6õ67777q7®72888N8U8f8Ò8Ø89959<9¦9Â9á9:M:i:Ú:Y;f;;;¿;×;ß;"<@<\<q<<´<Ì<ä<ü<=,=D=\=t==¤=¼=ñ=ü=>4>9>C>m>>À>Æ>Ñ>??¡?Á?Ô?¸0'0[0c0x00¦0Ë0û01'1/112É2â23$3D3[33¥3Ë3ç3û34#4+4W4_4À4a55!6Ì6ç6E7ó78¨8Ã8Ë8Ú8ß8ö8 99.999C9M9[9a9u99÷9ÿ9<:µ:ç:ò:;;l<<Í<ò<==!==3=<=E=N=W=`=i=r={==c>m>å>C?~?î?û? \ 0<0{0Ê011!1;1C1S1_1y1®1Î12Ï2×2y3ê3@4H44 45£5»5ò5ú5 6?66ª6ä6ë677@7¥7Ä7Þ7þ7{8°tç2-3P3Ö34?4ß45K5s5&6>6^6}6å6ú6777L7Þ788³8Æ89909S9f9¯9»9Ð9ó9:O:[::·:ê:;0;[;;±;Ü;<2<[<<«<Ö<-=B=Ð?Àpr0<1s1à12~3L4X444½40555Á56>66´6Å68y8¸8ì89\99¿9ü9,:_::Ì:ÿ:<;p;£;#<5==Ñ=>8>u>¥>Ø>?E?x?µ?å?ÐH0U00¼0<1v2k3·3 4Y4v55;6i66747'8ò9:5=Ý=(>@>q>°>Ü>&?O??¯?ã?à,0 0:0Z0t00o3§5q6y669³:Ç:Û:>â>ðd)11´1Ã2×2ë2¾4Ê4(5<5W5d5¿5Ë5)6=6X6e6À6Ì67>7Y7f7Á7Í7+8?8Z8g8Æ8Ó8"969Q9^9½9Ê9:-:H:U:°:¼:D;D»1Ç1ç1ó1k2Ð293444¢4§4¬4±4¸4É4æ4ó45551565M57;=@>¾>M?Ì?00Ø0123à3u46d6x66«6q7È8;9E9Z9ô9? 40Tj3þ3 4ø4Ì5Ø5}7Ø7ä7[8p88½8×8å8ÿ8 9\|:À:;;O;;;Ä;<<¸<Ù<ï<=Q=Ô=ì=k>º>i?@ 0®1#2\|2É234É4ó4¼6999P8u7È7U8\8¥8¬8î8w::¤:Ï:Ö:;";{;;;;<\|<<¾=Å=`/060.3;3H3å3ì3p ¢4³4Ä4{55T6]6h7±>/?:?`?002Þ2.9>9n;u;Æ:Í:ù:;/;³;º; 800ö2ý2e3k3x3"444O4:5M5Z5¦55 8§8;<e<E=R=??°ø01À$?6c6 8P889¦9³9:¢:Õ:P>W>Ð0k4G5N5Q7â;é;à12ð2!4@49:@:;e<c>ðZ0¨3¶6¾6Æ6Î6Ö6Þ6æ6î6ö6þ67777&7.767>7F7N7V7^7f7n7v7~77777¦7®7¶7¾7Æ7Î7Ö7Þ7æ7î7ö7þ78888&8.868>8F8N8V8^8f8n8v8~88888¦8®8¶8¾8Æ8Î8Ö8Þ8æ8î8ö8þ89999&9.969>9F9N9V9^9f9n9v9~99999¦9®9¶9¾9Æ9Î9Ö9Þ9æ9î9ö9þ9::::&:.:6:>:F:N:V:^:f:n:v:~:::::¦:®:¶:¾:Æ:Î:Ö:Þ:æ:î:ö:þ:;;;;&;.;6;>;F;N;V;^;f;n;v;~;;;;;¦;®;¶;¾;Æ;Î;Ö;Þ;æ;î;ö;þ;<<J<Ï<=o=¹=î=õ=û=)>^>e>k>>Î>Õ>Û>?Hº4Á4Ç4ß4æ4ì475w5~55Ú5666¦66³6ì7ó7ù7{999å:ì:ò:B;I;O;%?,?2?4¦11³1Ï4ë4õ455`5n5{55ª5±5·5Á7È7Î7æ7í7ó7 4`9d9h9l9p9t9x9\|999999999 9¤9¨9¬9°9´9¸9¼9À9Ä9È9Ì9Ð9Ô9Ø9Ü9à9ä9è9ì9ð9ô9ø9ü9:::: :$:(:,:0:4:8:<:@:¼:À:Ä:È:Ì:Ð:Ô:Ø:Ü:à:ä:è:ì:ð:ô:ø:ü:;;;;;;;; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;\|;;;;;;;;; ;¤;¨;¬;°;´;¸;¼;À;Ä;È;Ì;Ð;Ô;Ø;Ü;à;ä;è;ì;ð;ô;ø;ü;<<@=D=H=L=P=T=X=\=`=d=h=l=p=0 h>l>p>t>x>\|>>>>>>@¬è4ì4ð4ô4ø4ü4555555P5T5X5\5`5d5H8L8P8T8X8\8`8d8h8l8p8t8x8\|888888888 8¤8¨8¬8°8´8¸8¼8À8Ä8È8Ì8Ð8Ô8Ø8Ü8à8ä8è8ì8ð8ô8ø8ü899999999$>,>4><>D>L>T>\>d>l> base_address: 0x00432000 process_identifier: 2804 process_handle: 0x000002cc	1	1
WriteProcessMemory Jan. 26, 2023, 10:46 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2804 process_handle: 0x000002cc	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Jan. 26, 2023, 10:46 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELYI ^à xh-$ @0Ë ð;è Ð Ô.text P`.data\M N@`À.eh_framØp\@0@.bssf`À.edata;ðb@0@.idataèd@0À.relocÐ x@0B base_address: 0x00400000 process_identifier: 2804 process_handle: 0x000002cc	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1880 called NtSetContextThread to modify thread in remote process 2804
NtSetContextThread Jan. 26, 2023, 10:46 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4203565 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000388 process_identifier: 2804	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1880 resumed a thread in remote process 2804
NtResumeThread Jan. 26, 2023, 10:46 a.m.	thread_handle: 0x00000388 suspend_count: 1 process_identifier: 2804	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

212.193.30.230:3363

Executed a process and injected code into it, probably while unpacking (22 events)

Time & API	Arguments	Status	Return
NtResumeThread Jan. 26, 2023, 10:46 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1880	1	0
NtResumeThread Jan. 26, 2023, 10:46 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 1880	1	0
NtResumeThread Jan. 26, 2023, 10:46 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 1880	1	0
CreateProcessInternalW Jan. 26, 2023, 10:46 a.m.	thread_identifier: 2660 thread_handle: 0x000003d4 process_identifier: 2656 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\ogOazdrNW.exe" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003dc	1	1
CreateProcessInternalW Jan. 26, 2023, 10:46 a.m.	thread_identifier: 2712 thread_handle: 0x00000394 process_identifier: 2708 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ogOazdrNW" /XML "C:\Users\test22\AppData\Local\Temp\tmp55E6.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003dc	1	1
CreateProcessInternalW Jan. 26, 2023, 10:46 a.m.	thread_identifier: 2808 thread_handle: 0x00000388 process_identifier: 2804 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\PO_6733.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\PO_6733.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002cc	1	1
NtGetContextThread Jan. 26, 2023, 10:46 a.m.	thread_handle: 0x00000388	1	0
NtAllocateVirtualMemory Jan. 26, 2023, 10:46 a.m.	process_identifier: 2804 region_size: 208896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002cc	1	0
WriteProcessMemory Jan. 26, 2023, 10:46 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELYI ^à xh-$ @0Ë ð;è Ð Ô.text P`.data\M N@`À.eh_framØp\@0@.bssf`À.edata;ðb@0@.idataèd@0À.relocÐ x@0B base_address: 0x00400000 process_identifier: 2804 process_handle: 0x000002cc	1	1
WriteProcessMemory Jan. 26, 2023, 10:46 a.m.	buffer: base_address: 0x00401000 process_identifier: 2804 process_handle: 0x000002cc	1	1
WriteProcessMemory Jan. 26, 2023, 10:46 a.m.	buffer: base_address: 0x00422000 process_identifier: 2804 process_handle: 0x000002cc	1	1
WriteProcessMemory Jan. 26, 2023, 10:46 a.m.	buffer: zR\|(ÿÿ9AAC qAÃAÆHÿÿ,C h`,ÿÿ,C hxDÿÿFC0B\|ÿÿFC0B¨´ÿÿ>C0zzR\| ÄÿÿaAC0\| AÃA @ÿÿaAC0\| AÃA d\ÿÿaAC0\| AÃA ¨ÿÿICZ ES EJzR\|\|¦ÿÿzR\|ÿÿ+C gzR\| ÿÿKDA}ÃEÆ0@¼ÿÿAACH AÃAÆAÇ,t(ÿÿ\AAN ÃAÆAHÃAÆT¤XÿÿAAACE@M AÃAÆAÇAÅAW EÃAÆAÇAÅE8üÿÿAACCCPAÃAÆAÇAÅ<8ôÿÿyAAFAC@hAÃAÆAÇAÅ4x4ÿÿþAAAC Ø AÃAÆAÇA °üÿÿAC x AÃA4ÔhÿÿAAAC0a AÃAÆAÇA4ÀÿÿAAAC0a AÃAÆAÇA4DÿÿAAAC0p AÃAÆAÇAzR\|<hÿÿÑAAAAC`0 CÃAÆAÇAÅAzR\|<ðÿÿ¸ACAAC@ AÃAÆAÇAÅA<\pÿÿqAAAACpt AÃAÆAÇAÅAzR\|<ÿÿ`AAAAC@2 AÃAÆAÇAÅAzR\|< ÿÿ?AB FÚ ÃAÆAÇAÅAµ ÃAÆAÇAÅA base_address: 0x00427000 process_identifier: 2804 process_handle: 0x000002cc	1	1
WriteProcessMemory Jan. 26, 2023, 10:46 a.m.	buffer: YI ^(ð(ð(ð(ð base_address: 0x0042f000 process_identifier: 2804 process_handle: 0x000002cc	1	1
WriteProcessMemory Jan. 26, 2023, 10:46 a.m.	buffer: base_address: 0x00430000 process_identifier: 2804 process_handle: 0x000002cc	1	1
WriteProcessMemory Jan. 26, 2023, 10:46 a.m.	buffer: X 00 0+010;0E0¦0Ä0Ë0å01Ý1ñ1 2%313\|34[4S5.688¬9´94:Ý:û<==¶=À=Ë=>Ç>û>?? ¨1õ34¤5P6\6l6\|66º6Þ6ç708x8ª8Ñ9$:´;Ã;Ò;ã;÷;<<¢<¹<Ë<r=~==©=»=í=ø=>(>Ò>Ú>á>è>ú>???(?0?7?>?P?[?b?i?????§?²?¹?À?Ö?Þ?å?ì?þ?0ô 0001%1;1E1[1b1v1111³1º1Ë1Ú1ä1ò122+252K2R2d2n2}222©2³2Â2Ì2Ú2÷23#353u333¯3í34424m4w44¤4µ5¼5Ð5Ú5í5ô56646;6V6`6p6w666±6¸6É6Ó6ê6ñ6777%7?7I7P7[7k7y7¡7¨7Ã7×7ð7ú78,8D8R8n888¢8¸8Í8×:ç:;);0;;º;ä;ø;<=¤=Å=Õ=ÿ=>Ó?ô?@`0)0M0f00 11 1{111§1®1µ1½1Ä1Õ1Ý1ä1ø12222&2-282A2H2U2\2i2r2y2222¡2¨2µ2¼2â2ë2ó2ù23 30373¹3Á3È3Õ3Ý3ä3ñ3ù34 44444A4M4d4q4~44¡4®4Ä4Ý4ô4û45!565á5666¾6ç6ï6ù6E77Î7Ö7â7ê788+8Q8¦8Â8ý89W9^9e9q9x999999¤9±9Ù9ø9::7:J:P:f:r:w:}:; ;\;d;~;¢;©;²;Æ;><K<R<W<c<j<q<%=4=C=¹=Ù=è=÷=>> >1>@>O>^>m>\|>>>©>¸>Ç>Ö>ô>ù>??4?9?Y?f??ª?¯?Px00£0µ0Ù0á0í0ô01 111-151=1D1d11¡1+8Ë89ú9::::¯:º:À:;';@;H;M;Z;É;ì;÷;t<<<©=Ú=â=ì=ÿ=> >><>C>_>y>È>`,22Ã3Ê3ô355Ç5v6k8¤8Á8Ù8`9¥9c:G;b;;p0d0«0Ã0ã0 1P1ò1M3¦3&6.7g777Ã78ù8(<J<>À§0²1Ç1Ú1ä12h2Ï2î2L3£3464U4a44é4M5566616?6¨6®6ï6õ67777q7®72888N8U8f8Ò8Ø89959<9¦9Â9á9:M:i:Ú:Y;f;;;¿;×;ß;"<@<\<q<<´<Ì<ä<ü<=,=D=\=t==¤=¼=ñ=ü=>4>9>C>m>>À>Æ>Ñ>??¡?Á?Ô?¸0'0[0c0x00¦0Ë0û01'1/112É2â23$3D3[33¥3Ë3ç3û34#4+4W4_4À4a55!6Ì6ç6E7ó78¨8Ã8Ë8Ú8ß8ö8 99.999C9M9[9a9u99÷9ÿ9<:µ:ç:ò:;;l<<Í<ò<==!==3=<=E=N=W=`=i=r={==c>m>å>C?~?î?û? \ 0<0{0Ê011!1;1C1S1_1y1®1Î12Ï2×2y3ê3@4H44 45£5»5ò5ú5 6?66ª6ä6ë677@7¥7Ä7Þ7þ7{8°tç2-3P3Ö34?4ß45K5s5&6>6^6}6å6ú6777L7Þ788³8Æ89909S9f9¯9»9Ð9ó9:O:[::·:ê:;0;[;;±;Ü;<2<[<<«<Ö<-=B=Ð?Àpr0<1s1à12~3L4X444½40555Á56>66´6Å68y8¸8ì89\99¿9ü9,:_::Ì:ÿ:<;p;£;#<5==Ñ=>8>u>¥>Ø>?E?x?µ?å?ÐH0U00¼0<1v2k3·3 4Y4v55;6i66747'8ò9:5=Ý=(>@>q>°>Ü>&?O??¯?ã?à,0 0:0Z0t00o3§5q6y669³:Ç:Û:>â>ðd)11´1Ã2×2ë2¾4Ê4(5<5W5d5¿5Ë5)6=6X6e6À6Ì67>7Y7f7Á7Í7+8?8Z8g8Æ8Ó8"969Q9^9½9Ê9:-:H:U:°:¼:D;D»1Ç1ç1ó1k2Ð293444¢4§4¬4±4¸4É4æ4ó45551565M57;=@>¾>M?Ì?00Ø0123à3u46d6x66«6q7È8;9E9Z9ô9? 40Tj3þ3 4ø4Ì5Ø5}7Ø7ä7[8p88½8×8å8ÿ8 9\|:À:;;O;;;Ä;<<¸<Ù<ï<=Q=Ô=ì=k>º>i?@ 0®1#2\|2É234É4ó4¼6999P8u7È7U8\8¥8¬8î8w::¤:Ï:Ö:;";{;;;;<\|<<¾=Å=`/060.3;3H3å3ì3p ¢4³4Ä4{55T6]6h7±>/?:?`?002Þ2.9>9n;u;Æ:Í:ù:;/;³;º; 800ö2ý2e3k3x3"444O4:5M5Z5¦55 8§8;<e<E=R=??°ø01À$?6c6 8P889¦9³9:¢:Õ:P>W>Ð0k4G5N5Q7â;é;à12ð2!4@49:@:;e<c>ðZ0¨3¶6¾6Æ6Î6Ö6Þ6æ6î6ö6þ67777&7.767>7F7N7V7^7f7n7v7~77777¦7®7¶7¾7Æ7Î7Ö7Þ7æ7î7ö7þ78888&8.868>8F8N8V8^8f8n8v8~88888¦8®8¶8¾8Æ8Î8Ö8Þ8æ8î8ö8þ89999&9.969>9F9N9V9^9f9n9v9~99999¦9®9¶9¾9Æ9Î9Ö9Þ9æ9î9ö9þ9::::&:.:6:>:F:N:V:^:f:n:v:~:::::¦:®:¶:¾:Æ:Î:Ö:Þ:æ:î:ö:þ:;;;;&;.;6;>;F;N;V;^;f;n;v;~;;;;;¦;®;¶;¾;Æ;Î;Ö;Þ;æ;î;ö;þ;<<J<Ï<=o=¹=î=õ=û=)>^>e>k>>Î>Õ>Û>?Hº4Á4Ç4ß4æ4ì475w5~55Ú5666¦66³6ì7ó7ù7{999å:ì:ò:B;I;O;%?,?2?4¦11³1Ï4ë4õ455`5n5{55ª5±5·5Á7È7Î7æ7í7ó7 4`9d9h9l9p9t9x9\|999999999 9¤9¨9¬9°9´9¸9¼9À9Ä9È9Ì9Ð9Ô9Ø9Ü9à9ä9è9ì9ð9ô9ø9ü9:::: :$:(:,:0:4:8:<:@:¼:À:Ä:È:Ì:Ð:Ô:Ø:Ü:à:ä:è:ì:ð:ô:ø:ü:;;;;;;;; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;\|;;;;;;;;; ;¤;¨;¬;°;´;¸;¼;À;Ä;È;Ì;Ð;Ô;Ø;Ü;à;ä;è;ì;ð;ô;ø;ü;<<@=D=H=L=P=T=X=\=`=d=h=l=p=0 h>l>p>t>x>\|>>>>>>@¬è4ì4ð4ô4ø4ü4555555P5T5X5\5`5d5H8L8P8T8X8\8`8d8h8l8p8t8x8\|888888888 8¤8¨8¬8°8´8¸8¼8À8Ä8È8Ì8Ð8Ô8Ø8Ü8à8ä8è8ì8ð8ô8ø8ü899999999$>,>4><>D>L>T>\>d>l> base_address: 0x00432000 process_identifier: 2804 process_handle: 0x000002cc	1	1
WriteProcessMemory Jan. 26, 2023, 10:46 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2804 process_handle: 0x000002cc	1	1
NtSetContextThread Jan. 26, 2023, 10:46 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4203565 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000388 process_identifier: 2804	1	0
NtResumeThread Jan. 26, 2023, 10:46 a.m.	thread_handle: 0x00000388 suspend_count: 1 process_identifier: 2804	1	0
NtResumeThread Jan. 26, 2023, 10:46 a.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 2656	1	0
NtResumeThread Jan. 26, 2023, 10:46 a.m.	thread_handle: 0x00000300 suspend_count: 1 process_identifier: 2656	1	0
NtResumeThread Jan. 26, 2023, 10:46 a.m.	thread_handle: 0x0000044c suspend_count: 1 process_identifier: 2656	1	0
NtResumeThread Jan. 26, 2023, 10:46 a.m.	thread_handle: 0x000004ac suspend_count: 1 process_identifier: 2656	1	0

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

Bkav	W32.AIDetectNet.01
Lionic	Trojan.Win32.NetWiredRC.4!c
Elastic	malicious (high confidence)
McAfee	Artemis!76218662FFD8
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
Alibaba	Trojan:Win32/starter.ali1000139
Cyren	W32/MSIL_Kryptik.ITZ.gen!Eldorado
Symantec	Scr.Malcode!gdn34
ESET-NOD32	a variant of MSIL/Kryptik.AHWD
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	Win32:PWSX-gen [Trj]
F-Secure	Trojan.TR/AD.Abamousse.bkdwq
DrWeb	Trojan.PackedNET.1797
TrendMicro	Backdoor.Win32.NETWIRE.YXDAYZ
McAfee-GW-Edition	BehavesLike.Win32.Generic.bc
FireEye	Generic.mg.76218662ffd83974
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Avira	TR/AD.Abamousse.bkdwq
Microsoft	Trojan:MSIL/NanoBot.D!MTB
GData	Win32.Backdoor.NetWireRC.JJCJPJ
Google	Detected
VBA32	CIL.HeapOverride.Heur
Malwarebytes	Trojan.MalPack.PNG.Generic
TrendMicro-HouseCall	Backdoor.Win32.NETWIRE.YXDAYZ
Rising	Malware.Obfus/MSIL@AI.91 (RDM.MSIL2:ZypCSnf+hS36kLnPdeMViQ)
MaxSecure	Trojan.Malware.300983.susgen
BitDefenderTheta	Gen:NN.ZemsilF.36212.Sm0@ayBD3Xf
AVG	Win32:PWSX-gen [Trj]

PO_6733.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All