Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 10, 2023, 10:46 a.m.	March 10, 2023, 10:48 a.m.

Size	909.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`ad0fd8c49bd571cba00267ef88851d73`
SHA256	`33688ef783b3f8913608927cc25e28bb4a7097a2636d734af213956c60178784`
CRC32	`8D7524E9`
ssdeep	`24576:uuOZ6wGkB+e9uf8SnDhrvQ/UhuPRIwlqr9O:JDxQshuPto9O`
Yara	Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description) PE_Header_Zero - PE File Signature

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
1516
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\OkeWnOLx.exe"
  2712
- schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OkeWnOLx" /XML "C:\Users\test22\AppData\Local\Temp\tmp5F7B.tmp"
  2760
- RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2852

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (11 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 10, 2023, 10:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 10, 2023, 10:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 10, 2023, 10:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 10, 2023, 10:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 10, 2023, 10:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 10, 2023, 10:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 10, 2023, 10:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 10, 2023, 10:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 10, 2023, 10:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 10, 2023, 10:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 10, 2023, 10:47 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 10, 2023, 10:46 a.m.			0	0
IsDebuggerPresent March 10, 2023, 10:46 a.m.			0	0
IsDebuggerPresent March 10, 2023, 10:47 a.m.			0	0
IsDebuggerPresent March 10, 2023, 10:47 a.m.			0	0
IsDebuggerPresent March 10, 2023, 10:47 a.m.			0	0

Command line console output was observed (10 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 10, 2023, 10:47 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW March 10, 2023, 10:47 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW March 10, 2023, 10:47 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW March 10, 2023, 10:47 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW March 10, 2023, 10:47 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Roaming\OkeWnOL console_handle: 0x00000053	1	1
WriteConsoleW March 10, 2023, 10:47 a.m.	buffer: x.exe console_handle: 0x0000005f	1	1
WriteConsoleW March 10, 2023, 10:47 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW March 10, 2023, 10:47 a.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW March 10, 2023, 10:47 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW March 10, 2023, 10:47 a.m.	buffer: SUCCESS: The scheduled task "Updates\OkeWnOLx" has successfully been created. console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00499148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004991c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004991c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004991c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00499a48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00499a48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00499a48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00499a48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00499a48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00499a48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004991c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004991c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004991c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00499308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00499308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00499308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00499b08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00499308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00499308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00499308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00499308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00499308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00499308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00499308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00499388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00499388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00499388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00499388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00499388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00499388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00499388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00499388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00499388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00499388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00499388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00499388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00499388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00499388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004996c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004996c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004996c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004996c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004996c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004996c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004996c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004996c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 10, 2023, 10:46 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 10, 2023, 10:47 a.m.	stacktrace: 0x631710 0x630f3b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 13 d8 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x631b83 registers.esp: 1897360 registers.edi: 1897384 registers.eax: 0 registers.ebp: 1897396 registers.edx: 195 registers.ebx: 1897644 registers.esi: 38516320 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

March 10, 2023, 10:47 a.m.

stacktrace:

0x631710
0x630f3b
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745df5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 13 d8
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x631b83
registers.esp: 1897360
registers.edi: 1897384
registers.eax: 0
registers.ebp: 1897396
registers.edx: 195
registers.ebx: 1897644
registers.esi: 38516320
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 205 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 10, 2023, 10:46 a.m.	process_identifier: 1516 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00770000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:46 a.m.	process_identifier: 1516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 10, 2023, 10:46 a.m.	process_identifier: 1516 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 10, 2023, 10:46 a.m.	process_identifier: 1516 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:46 a.m.	process_identifier: 1516 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02360000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:46 a.m.	process_identifier: 1516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:46 a.m.	process_identifier: 1516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00392000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:46 a.m.	process_identifier: 1516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:46 a.m.	process_identifier: 1516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:46 a.m.	process_identifier: 1516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:46 a.m.	process_identifier: 1516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:46 a.m.	process_identifier: 1516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:46 a.m.	process_identifier: 1516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:46 a.m.	process_identifier: 1516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:46 a.m.	process_identifier: 1516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:46 a.m.	process_identifier: 1516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:46 a.m.	process_identifier: 1516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:46 a.m.	process_identifier: 1516 region_size: 45056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00651000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:46 a.m.	process_identifier: 1516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0065c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:46 a.m.	process_identifier: 1516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0065d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:46 a.m.	process_identifier: 1516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0065e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:46 a.m.	process_identifier: 1516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024df000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:46 a.m.	process_identifier: 1516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:46 a.m.	process_identifier: 1516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0065f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:46 a.m.	process_identifier: 1516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:46 a.m.	process_identifier: 1516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ae000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:46 a.m.	process_identifier: 1516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05010000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:46 a.m.	process_identifier: 1516 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05011000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:46 a.m.	process_identifier: 1516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05018000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:46 a.m.	process_identifier: 1516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05019000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:46 a.m.	process_identifier: 1516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0501a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:46 a.m.	process_identifier: 1516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0501b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:47 a.m.	process_identifier: 1516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:47 a.m.	process_identifier: 1516 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:47 a.m.	process_identifier: 1516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c46000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:47 a.m.	process_identifier: 1516 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c47000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:47 a.m.	process_identifier: 2712 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02830000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:47 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 10, 2023, 10:47 a.m.	process_identifier: 2712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:47 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 10, 2023, 10:47 a.m.	process_identifier: 2712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:47 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:47 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:47 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:47 a.m.	process_identifier: 2712 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:47 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0244a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:47 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:47 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:47 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0245b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 10:47 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02457000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (4 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OkeWnOLx" /XML "C:\Users\test22\AppData\Local\Temp\tmp5F7B.tmp"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\OkeWnOLx.exe"
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\OkeWnOLx.exe"
cmdline	schtasks.exe /Create /TN "Updates\OkeWnOLx" /XML "C:\Users\test22\AppData\Local\Temp\tmp5F7B.tmp"

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW March 10, 2023, 10:46 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\OkeWnOLx.exe" filepath: powershell	1	1	0
ShellExecuteExW March 10, 2023, 10:46 a.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\OkeWnOLx" /XML "C:\Users\test22\AppData\Local\Temp\tmp5F7B.tmp" filepath: schtasks.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x000e0400', u'virtual_address': u'0x00002000', u'entropy': 7.753705477123889, u'name': u'.text', u'virtual_size': u'0x000e03cc'}

entropy

7.75370547712

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00002e00', u'virtual_address': u'0x000e4000', u'entropy': 7.662988617271005, u'name': u'.rsrc', u'virtual_size': u'0x00002d00'}

entropy

7.66298861727

description

A section with a high entropy has been found

entropy

0.999449944994

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW March 10, 2023, 10:46 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 10, 2023, 10:47 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 10, 2023, 10:47 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (12 events)

description	Communications smtp	rule	Network_SMTP_dotNet
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Run a KeyLogger	rule	KeyLogger
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OkeWnOLx" /XML "C:\Users\test22\AppData\Local\Temp\tmp5F7B.tmp"
cmdline	schtasks.exe /Create /TN "Updates\OkeWnOLx" /XML "C:\Users\test22\AppData\Local\Temp\tmp5F7B.tmp"

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 10, 2023, 10:47 a.m.	process_identifier: 2852 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b8	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation March 10, 2023, 10:47 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

RegSvcs.exe tried to sleep 10912847 seconds, actually delayed analysis time by 10912847 seconds

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory March 10, 2023, 10:47 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELöraàN>l @ À@ìkO H.textDL N `.rsrcP@@.reloc T@B base_address: 0x00400000 process_identifier: 2852 process_handle: 0x000002b8	1	1
WriteProcessMemory March 10, 2023, 10:47 a.m.	buffer: 0HX´´4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoð000004b0,FileDescription 0FileVersion0.0.0.0p'InternalNametAyVaeuJPHHPGXGHsjbHlexBLbPJIruUoy.exe(LegalCopyright x'OriginalFilenametAyVaeuJPHHPGXGHsjbHlexBLbPJIruUoy.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 base_address: 0x00438000 process_identifier: 2852 process_handle: 0x000002b8	1	1
WriteProcessMemory March 10, 2023, 10:47 a.m.	buffer: `@< base_address: 0x0043a000 process_identifier: 2852 process_handle: 0x000002b8	1	1
WriteProcessMemory March 10, 2023, 10:47 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2852 process_handle: 0x000002b8	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 10, 2023, 10:47 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELöraàN>l @ À@ìkO H.textDL N `.rsrcP@@.reloc T@B base_address: 0x00400000 process_identifier: 2852 process_handle: 0x000002b8	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1516 called NtSetContextThread to modify thread in remote process 2852
NtSetContextThread March 10, 2023, 10:47 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4418622 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002ac process_identifier: 2852	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1516 resumed a thread in remote process 2852
NtResumeThread March 10, 2023, 10:47 a.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 2852	1	0	0

Executed a process and injected code into it, probably while unpacking (32 events)

Time & API	Arguments	Status	Return
NtResumeThread March 10, 2023, 10:46 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1516	1	0
NtResumeThread March 10, 2023, 10:46 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 1516	1	0
NtResumeThread March 10, 2023, 10:46 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 1516	1	0
NtResumeThread March 10, 2023, 10:46 a.m.	thread_handle: 0x0000024c suspend_count: 1 process_identifier: 1516	1	0
CreateProcessInternalW March 10, 2023, 10:46 a.m.	thread_identifier: 2716 thread_handle: 0x000003b4 process_identifier: 2712 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\OkeWnOLx.exe" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003bc	1	1
CreateProcessInternalW March 10, 2023, 10:46 a.m.	thread_identifier: 2764 thread_handle: 0x0000037c process_identifier: 2760 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OkeWnOLx" /XML "C:\Users\test22\AppData\Local\Temp\tmp5F7B.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003bc	1	1
NtResumeThread March 10, 2023, 10:47 a.m.	thread_handle: 0x000003d8 suspend_count: 1 process_identifier: 1516	1	0
CreateProcessInternalW March 10, 2023, 10:47 a.m.	thread_identifier: 2856 thread_handle: 0x000002ac process_identifier: 2852 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002b8	1	1
NtGetContextThread March 10, 2023, 10:47 a.m.	thread_handle: 0x000002ac	1	0
NtAllocateVirtualMemory March 10, 2023, 10:47 a.m.	process_identifier: 2852 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b8	1	0
WriteProcessMemory March 10, 2023, 10:47 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELöraàN>l @ À@ìkO H.textDL N `.rsrcP@@.reloc T@B base_address: 0x00400000 process_identifier: 2852 process_handle: 0x000002b8	1	1
WriteProcessMemory March 10, 2023, 10:47 a.m.	buffer: base_address: 0x00402000 process_identifier: 2852 process_handle: 0x000002b8	1	1
WriteProcessMemory March 10, 2023, 10:47 a.m.	buffer: 0HX´´4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoð000004b0,FileDescription 0FileVersion0.0.0.0p'InternalNametAyVaeuJPHHPGXGHsjbHlexBLbPJIruUoy.exe(LegalCopyright x'OriginalFilenametAyVaeuJPHHPGXGHsjbHlexBLbPJIruUoy.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 base_address: 0x00438000 process_identifier: 2852 process_handle: 0x000002b8	1	1
WriteProcessMemory March 10, 2023, 10:47 a.m.	buffer: `@< base_address: 0x0043a000 process_identifier: 2852 process_handle: 0x000002b8	1	1
WriteProcessMemory March 10, 2023, 10:47 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2852 process_handle: 0x000002b8	1	1
NtSetContextThread March 10, 2023, 10:47 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4418622 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002ac process_identifier: 2852	1	0
NtResumeThread March 10, 2023, 10:47 a.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 2852	1	0
NtResumeThread March 10, 2023, 10:47 a.m.	thread_handle: 0x000003e0 suspend_count: 1 process_identifier: 1516	1	0
NtResumeThread March 10, 2023, 10:47 a.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 2712	1	0
NtResumeThread March 10, 2023, 10:47 a.m.	thread_handle: 0x000002fc suspend_count: 1 process_identifier: 2712	1	0
NtResumeThread March 10, 2023, 10:47 a.m.	thread_handle: 0x00000448 suspend_count: 1 process_identifier: 2712	1	0
NtResumeThread March 10, 2023, 10:47 a.m.	thread_handle: 0x000004a8 suspend_count: 1 process_identifier: 2712	1	0
NtResumeThread March 10, 2023, 10:47 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2852	1	0
NtResumeThread March 10, 2023, 10:47 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2852	1	0
NtResumeThread March 10, 2023, 10:47 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2852	1	0
NtResumeThread March 10, 2023, 10:47 a.m.	thread_handle: 0x0000030c suspend_count: 1 process_identifier: 2852	1	0
NtResumeThread March 10, 2023, 10:47 a.m.	thread_handle: 0x0000032c suspend_count: 1 process_identifier: 2852	1	0
NtResumeThread March 10, 2023, 10:47 a.m.	thread_handle: 0x00000388 suspend_count: 1 process_identifier: 2852	1	0
NtResumeThread March 10, 2023, 10:47 a.m.	thread_handle: 0x000003fc suspend_count: 1 process_identifier: 2852	1	0
NtResumeThread March 10, 2023, 10:47 a.m.	thread_handle: 0x0000034c suspend_count: 1 process_identifier: 2852	1	0
NtResumeThread March 10, 2023, 10:47 a.m.	thread_handle: 0x000003f0 suspend_count: 1 process_identifier: 2852	1	0
NtResumeThread March 10, 2023, 10:48 a.m.	thread_handle: 0x000003f0 suspend_count: 1 process_identifier: 2852	1	0

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Bkav	W32.AIDetectNet.01
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.65851511
Sangfor	Backdoor.Msil.Androm.V82m
CrowdStrike	win/malicious_confidence_100% (W)
Cyren	W32/MSIL_Kryptik.JAJ.gen!Eldorado
Symantec	MSIL.Packed.31
tehtris	Generic.Malware
ESET-NOD32	a variant of MSIL/Kryptik.AIHV
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Backdoor.MSIL.Androm.gen
BitDefender	Trojan.GenericKD.65851511
Avast	Win32:PWSX-gen [Trj]
DrWeb	Trojan.Inject4.54014
TrendMicro	Backdoor.MSIL.ANDROM.USPAXC923
McAfee-GW-Edition	BehavesLike.Win32.Generic.dc
Trapmine	suspicious.low.ml.score
FireEye	Generic.mg.ad0fd8c49bd571cb
Emsisoft	Trojan.GenericKD.65851511 (B)
SentinelOne	Static AI - Malicious PE
Webroot	W32.Trojan.Gen
MAX	malware (ai score=88)
Xcitium	Malware@#2za4jum1i7r9l
GData	MSIL.Trojan-Stealer.AgentTesla.4RERQ9
Google	Detected
AhnLab-V3	Infostealer/Win.RequestPOST.C5392830
McAfee	Artemis!AD0FD8C49BD5
TrendMicro-HouseCall	Backdoor.MSIL.ANDROM.USPAXC923
Rising	Malware.Obfus/MSIL@AI.100 (RDM.MSIL2:NsjMe/1G1T+GVRcZ74Jxcg)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.AIHV!tr
AVG	Win32:PWSX-gen [Trj]

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All