Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 28, 2023, 8:14 a.m.	March 28, 2023, 8:20 a.m.

Size	193.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`53622e61772d39cd6868b89aaabb8249`
SHA256	`ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b`
CRC32	`3A589984`
ssdeep	`6144:QkdnyRSXGwbtZt2hP4hY9eII6cuH58KCNRJynB:Q3SXt5E4hoeEdmV+`
Yara	UPX_Zero - UPX packed file Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description) PE_Header_Zero - PE File Signature

wwa.exe "C:\Users\test22\AppData\Local\Temp\wwa.exe"
1932
- wwa.exe "C:\Users\test22\AppData\Local\Temp\wwa.exe"
  2104
  - images.exe "C:\Users\test22\Documents\images.exe"
    2256
    - images.exe "C:\Users\test22\Documents\images.exe"
      2308
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
microsoft.com	A 20.103.85.33 A 20.53.203.50 A 20.81.111.85 A 20.112.52.29 A 20.84.181.62	20.112.52.29

IP Address	Status	Action
164.124.101.2	Active	Moloch
20.112.52.29	Active	Moloch
46.183.222.62	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 46.183.222.62:5353 -> 192.168.56.103:49168	2038897	ET MALWARE Warzone RAT Response (Inbound)	A Network Trojan was detected
TCP 46.183.222.62:5353 -> 192.168.56.103:49168	2038897	ET MALWARE Warzone RAT Response (Inbound)	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 20.112.52.29:80	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 28, 2023, 8:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 28, 2023, 8:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 28, 2023, 8:15 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 28, 2023, 8:14 a.m.			0	0
IsDebuggerPresent March 28, 2023, 8:14 a.m.			0	0
IsDebuggerPresent March 28, 2023, 8:14 a.m.			0	0
IsDebuggerPresent March 28, 2023, 8:14 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 28, 2023, 8:14 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (38 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 1932 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 1932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 1932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 1932 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f80000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02020000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00362000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00495000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00497000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00486000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0036a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2023, 8:08 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004b90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 2256 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 2256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 2256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 2256 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00452000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2023, 8:15 a.m.	process_identifier: 2308 region_size: 684032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08660000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceW March 28, 2023, 8:15 a.m.	number_of_free_clusters: 2425554 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0

Steals private information from local Internet browsers (23 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 3\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 11\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 20\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 5\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 10\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 8\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 4\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 15\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 18\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 9\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 2\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 7\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 16\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 13\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 6\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 17\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 12\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 14\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 19\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data

Foreign language identified in PE resource (8 events)

name

RT_ICON

language

LANG_ZULU

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_NEUTRAL

offset

0x0002e55c

size

0x0000384d

name

RT_ICON

language

LANG_ZULU

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_NEUTRAL

offset

0x0002e55c

size

0x0000384d

name

RT_ICON

language

LANG_ZULU

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_NEUTRAL

offset

0x0002e55c

size

0x0000384d

name

RT_ICON

language

LANG_ZULU

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_NEUTRAL

offset

0x0002e55c

size

0x0000384d

name

RT_ICON

language

LANG_ZULU

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_NEUTRAL

offset

0x0002e55c

size

0x0000384d

name

RT_GROUP_ICON

language

LANG_ZULU

filetype

data

sublanguage

SUBLANG_NEUTRAL

offset

0x00031de5

size

0x0000004c

name

RT_VERSION

language

LANG_ZULU

filetype

data

sublanguage

SUBLANG_NEUTRAL

offset

0x00031e6d

size

0x00000274

name

RT_MANIFEST

language

LANG_ZULU

filetype

XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

sublanguage

SUBLANG_NEUTRAL

offset

0x0003211d

size

0x000001ea

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Local\Temp\softokn3.dll
file	C:\Users\test22\AppData\Local\Temp\vcruntime140.dll
file	C:\Users\test22\AppData\Local\Temp\mozglue.dll
file	C:\Users\test22\AppData\Local\Temp\nss3.dll
file	C:\Users\test22\AppData\Local\Temp\msvcp140.dll
file	C:\Users\test22\AppData\Local\Temp\freebl3.dll

Drops an executable to the user AppData folder (6 events)

file	C:\Users\test22\AppData\Local\Temp\freebl3.dll
file	C:\Users\test22\AppData\Local\Temp\mozglue.dll
file	C:\Users\test22\AppData\Local\Temp\vcruntime140.dll
file	C:\Users\test22\AppData\Local\Temp\msvcp140.dll
file	C:\Users\test22\AppData\Local\Temp\nss3.dll
file	C:\Users\test22\AppData\Local\Temp\softokn3.dll

Executes one or more WMI queries (1 event)

wmi

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00027c00', u'virtual_address': u'0x00002000', u'entropy': 7.905036236891226, u'name': u'.text', u'virtual_size': u'0x00027a9f'}

entropy

7.90503623689

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00008400', u'virtual_address': u'0x0002a000', u'entropy': 6.802948062967319, u'name': u'.rsrc', u'virtual_size': u'0x00008307'}

entropy

6.80294806297

description

A section with a high entropy has been found

entropy

0.997402597403

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (1 event)

url	http://microsoft.com/

Yara rule detected in process memory (38 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Run a KeyLogger	rule	KeyLogger
description	File Downloader	rule	Network_Downloader
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Install itself for autorun at Windows startup	rule	Persistence
description	email clients info stealer	rule	infoStealer_emailClients_Zero
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Run a KeyLogger	rule	KeyLogger
description	File Downloader	rule	Network_Downloader
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Install itself for autorun at Windows startup	rule	Persistence
description	email clients info stealer	rule	infoStealer_emailClients_Zero

Communicates with host for which no DNS query was performed (1 event)

host

46.183.222.62

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 2104 region_size: 1425408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000278	1	0
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 2308 region_size: 1425408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000023c		3221225496
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 2308 region_size: 1425408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000023c	1	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images

reg_value

C:\Users\test22\Documents\images.exe

Potential code injection by writing to the memory of another process (8 events)

Time & API	Arguments	Status	Return
WriteProcessMemory March 28, 2023, 8:14 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $É\dE¨27E¨27E¨27§m7D¨27QÃ56D¨27§o7G¨27QÃ66F¨27bn_7D¨27bn\7@¨27@¤=7A¨27QÃ46D¨27QÃ36f¨27E¨37E©27ÄÑ;6Â¨27ÄÑÍ7D¨27ÄÑ06D¨27RichE¨27PELææ¢càêg @À@ðÜh`p,P0Û .textÉ `.rdata<S T@@.data¸Qè@À.rsrcp,`.î@@.relocP@B.bss°2@@ base_address: 0x00400000 process_identifier: 2104 process_handle: 0x00000278	1	1
WriteProcessMemory March 28, 2023, 8:14 a.m.	buffer: @$@8@G@V@e@t@@¸@Ú@ü@/@E@g@TÍ<¨K¢`Ý;UBÄôK A³ÝJpMÛ(`B`BUìUEÈÒt ÆAêu÷]ÃUìd¡0ì@SVWxé§G03ö_,?EøB<}ôDxEðÀÁë3ÉÛt-}ø¾ÁÎ <aUø\| ÂÀàðëuøA;ËrßUü}ôEðL3ÛD ÂMìÉt<3ÿÊÀMøÑEè ÁÏ ¾ÁøBÉuñUü}øEø}ôÆ;Et EèC;]ìrÄWUüÒKÿÿÿ3À_^[ÉÂuðD$X·DÂëÝUìì¼ESVWXhLw&M ]¸èèþÿÿðÇEÄkern3ÀÇEÈel32EÐEÞEÄPÇEÌ.dllÇEàntdlÇEäl.dlfÇEèlÇEÔuserÇEØ32.dfÇEÜllfÇEø1fÇEü2ÿÖEàPÿÖEÔPÿÖhX¤SåèyþÿÿhyÌ?EèlþÿÿhEVEôè_þÿÿhDð5àEÀèRþÿÿhî¶PE¤èEþÿÿhÆREè8þÿÿh_xTîEðè+þÿÿhÚöÚOEèþÿÿøhÆp}´èþÿÿh_»ðèþÿÿh-W®[E¼èöýÿÿE¬3ÀPhjPPhSE¨ÿ×jEìPÿÖ]ø}°jh0WjÿÓðötîjE¨PW}ìVWÿU¼WÿUð>M]¸tjEøPPjÿUÀÆEhà.ÿU¤3À}«jDj«««DÿÿÿPèTýÿÿÄÿu jhÿÿÿUE¼ÀuOEPDÿÿÿP3ÀPPPPPPPSÿUôÀ¯PPjPPh@SE¸ÿU´øjÿÿtE¸ë^EüPPjÿUÀéeìMìQPÿU}ìtoEPDÿÿÿP3ÀPPPPPPPSÿUôÀuOPPjPPh@SEÿU´øjÿÿt*EPÿu°VWÿU¬WÿUðEPDÿÿÿP3ÀPPPPPPPSÿUôë EüPPjÿUÀÆEÿu¼ÿUð}åþÿÿ_^[ÉÃ¸ÒAd base_address: 0x00420000 process_identifier: 2104 process_handle: 0x00000278	1	1
WriteProcessMemory March 28, 2023, 8:14 a.m.	buffer: 2/¾A:¹Ã#^År0ð!ât:ìE7ÎûÜÛê 5 W&w0Ñzk¶õ{à¢F¤ïa¼y1j¡ïÊý¸_!?E%ù¶Ç¤êÅ® ¼_ÜdóÛ@ðîÑñ;o0ë¢R©²sóôI(ó.®Ùo:&ã]1Â^fuìGÓÛÇêúOT¥q!QÆ`N,÷Üâ9÷õ¤¼ ~ß1ïÜªqK òG/µX· base_address: 0x0055b000 process_identifier: 2104 process_handle: 0x00000278	1	1
WriteProcessMemory March 28, 2023, 8:14 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2104 process_handle: 0x00000278	1	1
WriteProcessMemory March 28, 2023, 8:14 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $É\dE¨27E¨27E¨27§m7D¨27QÃ56D¨27§o7G¨27QÃ66F¨27bn_7D¨27bn\7@¨27@¤=7A¨27QÃ46D¨27QÃ36f¨27E¨37E©27ÄÑ;6Â¨27ÄÑÍ7D¨27ÄÑ06D¨27RichE¨27PELææ¢càêg @À@ðÜh`p,P0Û .textÉ `.rdata<S T@@.data¸Qè@À.rsrcp,`.î@@.relocP@B.bss°2@@ base_address: 0x000b0000 process_identifier: 2308 process_handle: 0x0000023c	1	1
WriteProcessMemory March 28, 2023, 8:14 a.m.	buffer: @$@8@G@V@e@t@@¸@Ú@ü@/@E@g@TÍ<¨K¢`Ý;UBÄôK A³ÝJpMÛ(`B`BUìUEÈÒt ÆAêu÷]ÃUìd¡0ì@SVWxé§G03ö_,?EøB<}ôDxEðÀÁë3ÉÛt-}ø¾ÁÎ <aUø\| ÂÀàðëuøA;ËrßUü}ôEðL3ÛD ÂMìÉt<3ÿÊÀMøÑEè ÁÏ ¾ÁøBÉuñUü}øEø}ôÆ;Et EèC;]ìrÄWUüÒKÿÿÿ3À_^[ÉÂuðD$X·DÂëÝUìì¼ESVWXhLw&M ]¸èèþÿÿðÇEÄkern3ÀÇEÈel32EÐEÞEÄPÇEÌ.dllÇEàntdlÇEäl.dlfÇEèlÇEÔuserÇEØ32.dfÇEÜllfÇEø1fÇEü2ÿÖEàPÿÖEÔPÿÖhX¤SåèyþÿÿhyÌ?EèlþÿÿhEVEôè_þÿÿhDð5àEÀèRþÿÿhî¶PE¤èEþÿÿhÆREè8þÿÿh_xTîEðè+þÿÿhÚöÚOEèþÿÿøhÆp}´èþÿÿh_»ðèþÿÿh-W®[E¼èöýÿÿE¬3ÀPhjPPhSE¨ÿ×jEìPÿÖ]ø}°jh0WjÿÓðötîjE¨PW}ìVWÿU¼WÿUð>M]¸tjEøPPjÿUÀÆEhà.ÿU¤3À}«jDj«««DÿÿÿPèTýÿÿÄÿu jhÿÿÿUE¼ÀuOEPDÿÿÿP3ÀPPPPPPPSÿUôÀ¯PPjPPh@SE¸ÿU´øjÿÿtE¸ë^EüPPjÿUÀéeìMìQPÿU}ìtoEPDÿÿÿP3ÀPPPPPPPSÿUôÀuOPPjPPh@SEÿU´øjÿÿt*EPÿu°VWÿU¬WÿUðEPDÿÿÿP3ÀPPPPPPPSÿUôë EüPPjÿUÀÆEÿu¼ÿUð}åþÿÿ_^[ÉÃ¸ÒAd base_address: 0x000d0000 process_identifier: 2308 process_handle: 0x0000023c	1	1
WriteProcessMemory March 28, 2023, 8:14 a.m.	buffer: 2/¾A:¹Ã#^År0ð!ât:ìE7ÎûÜÛê 5 W&w0Ñzk¶õ{à¢F¤ïa¼y1j¡ïÊý¸_!?E%ù¶Ç¤êÅ® ¼_ÜdóÛ@ðîÑñ;o0ë¢R©²sóôI(ó.®Ùo:&ã]1Â^fuìGÓÛÇêúOT¥q!QÆ`N,÷Üâ9÷õ¤¼ ~ß1ïÜªqK òG/µX· base_address: 0x0020b000 process_identifier: 2308 process_handle: 0x0000023c	1	1
WriteProcessMemory March 28, 2023, 8:14 a.m.	buffer: base_address: 0x7efde008 process_identifier: 2308 process_handle: 0x0000023c	1	1

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 28, 2023, 8:14 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $É\dE¨27E¨27E¨27§m7D¨27QÃ56D¨27§o7G¨27QÃ66F¨27bn_7D¨27bn\7@¨27@¤=7A¨27QÃ46D¨27QÃ36f¨27E¨37E©27ÄÑ;6Â¨27ÄÑÍ7D¨27ÄÑ06D¨27RichE¨27PELææ¢càêg @À@ðÜh`p,P0Û .textÉ `.rdata<S T@@.data¸Qè@À.rsrcp,`.î@@.relocP@B.bss°2@@ base_address: 0x00400000 process_identifier: 2104 process_handle: 0x00000278	1	1	0
WriteProcessMemory March 28, 2023, 8:14 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $É\dE¨27E¨27E¨27§m7D¨27QÃ56D¨27§o7G¨27QÃ66F¨27bn_7D¨27bn\7@¨27@¤=7A¨27QÃ46D¨27QÃ36f¨27E¨37E©27ÄÑ;6Â¨27ÄÑÍ7D¨27ÄÑ06D¨27RichE¨27PELææ¢càêg @À@ðÜh`p,P0Û .textÉ `.rdata<S T@@.data¸Qè@À.rsrcp,`.î@@.relocP@B.bss°2@@ base_address: 0x000b0000 process_identifier: 2308 process_handle: 0x0000023c	1	1	0

Harvests credentials from local email clients (2 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1932 called NtSetContextThread to modify thread in remote process 2104
Process injection	Process 2256 called NtSetContextThread to modify thread in remote process 2308
NtSetContextThread March 28, 2023, 8:14 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4220830 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000274 process_identifier: 2104	1	0	0
NtSetContextThread March 28, 2023, 8:14 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4220830 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000238 process_identifier: 2308	1	0	0

Attempts to remove evidence of file being downloaded from the Internet (2 events)

file	C:\Users\test22\AppData\Local\Temp\wwa.exe:Zone.Identifier
file	C:\Users\test22\Documents\images.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1932 resumed a thread in remote process 2104
Process injection	Process 2256 resumed a thread in remote process 2308
NtResumeThread March 28, 2023, 8:14 a.m.	thread_handle: 0x00000274 suspend_count: 1 process_identifier: 2104	1	0	0
NtResumeThread March 28, 2023, 8:14 a.m.	thread_handle: 0x00000238 suspend_count: 1 process_identifier: 2308	1	0	0

Executed a process and injected code into it, probably while unpacking (34 events)

Time & API	Arguments	Status	Return
NtResumeThread March 28, 2023, 8:14 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 1932	1	0
NtResumeThread March 28, 2023, 8:14 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 1932	1	0
NtResumeThread March 28, 2023, 8:14 a.m.	thread_handle: 0x0000019c suspend_count: 1 process_identifier: 1932	1	0
CreateProcessInternalW March 28, 2023, 8:14 a.m.	thread_identifier: 2108 thread_handle: 0x00000274 process_identifier: 2104 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\wwa.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\wwa.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\wwa.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000278	1	1
NtGetContextThread March 28, 2023, 8:14 a.m.	thread_handle: 0x00000274	1	0
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 2104 region_size: 1425408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000278	1	0
WriteProcessMemory March 28, 2023, 8:14 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $É\dE¨27E¨27E¨27§m7D¨27QÃ56D¨27§o7G¨27QÃ66F¨27bn_7D¨27bn\7@¨27@¤=7A¨27QÃ46D¨27QÃ36f¨27E¨37E©27ÄÑ;6Â¨27ÄÑÍ7D¨27ÄÑ06D¨27RichE¨27PELææ¢càêg @À@ðÜh`p,P0Û .textÉ `.rdata<S T@@.data¸Qè@À.rsrcp,`.î@@.relocP@B.bss°2@@ base_address: 0x00400000 process_identifier: 2104 process_handle: 0x00000278	1	1
WriteProcessMemory March 28, 2023, 8:14 a.m.	buffer: base_address: 0x00401000 process_identifier: 2104 process_handle: 0x00000278	1	1
WriteProcessMemory March 28, 2023, 8:14 a.m.	buffer: base_address: 0x0041a000 process_identifier: 2104 process_handle: 0x00000278	1	1
WriteProcessMemory March 28, 2023, 8:14 a.m.	buffer: @$@8@G@V@e@t@@¸@Ú@ü@/@E@g@TÍ<¨K¢`Ý;UBÄôK A³ÝJpMÛ(`B`BUìUEÈÒt ÆAêu÷]ÃUìd¡0ì@SVWxé§G03ö_,?EøB<}ôDxEðÀÁë3ÉÛt-}ø¾ÁÎ <aUø\| ÂÀàðëuøA;ËrßUü}ôEðL3ÛD ÂMìÉt<3ÿÊÀMøÑEè ÁÏ ¾ÁøBÉuñUü}øEø}ôÆ;Et EèC;]ìrÄWUüÒKÿÿÿ3À_^[ÉÂuðD$X·DÂëÝUìì¼ESVWXhLw&M ]¸èèþÿÿðÇEÄkern3ÀÇEÈel32EÐEÞEÄPÇEÌ.dllÇEàntdlÇEäl.dlfÇEèlÇEÔuserÇEØ32.dfÇEÜllfÇEø1fÇEü2ÿÖEàPÿÖEÔPÿÖhX¤SåèyþÿÿhyÌ?EèlþÿÿhEVEôè_þÿÿhDð5àEÀèRþÿÿhî¶PE¤èEþÿÿhÆREè8þÿÿh_xTîEðè+þÿÿhÚöÚOEèþÿÿøhÆp}´èþÿÿh_»ðèþÿÿh-W®[E¼èöýÿÿE¬3ÀPhjPPhSE¨ÿ×jEìPÿÖ]ø}°jh0WjÿÓðötîjE¨PW}ìVWÿU¼WÿUð>M]¸tjEøPPjÿUÀÆEhà.ÿU¤3À}«jDj«««DÿÿÿPèTýÿÿÄÿu jhÿÿÿUE¼ÀuOEPDÿÿÿP3ÀPPPPPPPSÿUôÀ¯PPjPPh@SE¸ÿU´øjÿÿtE¸ë^EüPPjÿUÀéeìMìQPÿU}ìtoEPDÿÿÿP3ÀPPPPPPPSÿUôÀuOPPjPPh@SEÿU´øjÿÿt*EPÿu°VWÿU¬WÿUðEPDÿÿÿP3ÀPPPPPPPSÿUôë EüPPjÿUÀÆEÿu¼ÿUð}åþÿÿ_^[ÉÃ¸ÒAd base_address: 0x00420000 process_identifier: 2104 process_handle: 0x00000278	1	1
WriteProcessMemory March 28, 2023, 8:14 a.m.	buffer: base_address: 0x00556000 process_identifier: 2104 process_handle: 0x00000278	1	1
WriteProcessMemory March 28, 2023, 8:14 a.m.	buffer: base_address: 0x00559000 process_identifier: 2104 process_handle: 0x00000278	1	1
WriteProcessMemory March 28, 2023, 8:14 a.m.	buffer: 2/¾A:¹Ã#^År0ð!ât:ìE7ÎûÜÛê 5 W&w0Ñzk¶õ{à¢F¤ïa¼y1j¡ïÊý¸_!?E%ù¶Ç¤êÅ® ¼_ÜdóÛ@ðîÑñ;o0ë¢R©²sóôI(ó.®Ùo:&ã]1Â^fuìGÓÛÇêúOT¥q!QÆ`N,÷Üâ9÷õ¤¼ ~ß1ïÜªqK òG/µX· base_address: 0x0055b000 process_identifier: 2104 process_handle: 0x00000278	1	1
WriteProcessMemory March 28, 2023, 8:14 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2104 process_handle: 0x00000278	1	1
NtSetContextThread March 28, 2023, 8:14 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4220830 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000274 process_identifier: 2104	1	0
NtResumeThread March 28, 2023, 8:14 a.m.	thread_handle: 0x00000274 suspend_count: 1 process_identifier: 2104	1	0
CreateProcessInternalW March 28, 2023, 8:14 a.m.	thread_identifier: 2260 thread_handle: 0x000001f8 process_identifier: 2256 current_directory: filepath: C:\Users\test22\Documents\images.exe track: 1 command_line: filepath_r: C:\Users\test22\Documents\images.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000001fc	1	1
NtResumeThread March 28, 2023, 8:14 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2256	1	0
NtResumeThread March 28, 2023, 8:14 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2256	1	0
CreateProcessInternalW March 28, 2023, 8:14 a.m.	thread_identifier: 2312 thread_handle: 0x00000238 process_identifier: 2308 current_directory: filepath: C:\Users\test22\Documents\images.exe track: 1 command_line: "C:\Users\test22\Documents\images.exe" filepath_r: C:\Users\test22\Documents\images.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000023c	1	1
NtGetContextThread March 28, 2023, 8:14 a.m.	thread_handle: 0x00000238	1	0
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 2308 region_size: 1425408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000023c		3221225496
NtAllocateVirtualMemory March 28, 2023, 8:14 a.m.	process_identifier: 2308 region_size: 1425408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000023c	1	0
WriteProcessMemory March 28, 2023, 8:14 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $É\dE¨27E¨27E¨27§m7D¨27QÃ56D¨27§o7G¨27QÃ66F¨27bn_7D¨27bn\7@¨27@¤=7A¨27QÃ46D¨27QÃ36f¨27E¨37E©27ÄÑ;6Â¨27ÄÑÍ7D¨27ÄÑ06D¨27RichE¨27PELææ¢càêg @À@ðÜh`p,P0Û .textÉ `.rdata<S T@@.data¸Qè@À.rsrcp,`.î@@.relocP@B.bss°2@@ base_address: 0x000b0000 process_identifier: 2308 process_handle: 0x0000023c	1	1
WriteProcessMemory March 28, 2023, 8:14 a.m.	buffer: base_address: 0x000b1000 process_identifier: 2308 process_handle: 0x0000023c	1	1
WriteProcessMemory March 28, 2023, 8:14 a.m.	buffer: base_address: 0x000ca000 process_identifier: 2308 process_handle: 0x0000023c	1	1
WriteProcessMemory March 28, 2023, 8:14 a.m.	buffer: @$@8@G@V@e@t@@¸@Ú@ü@/@E@g@TÍ<¨K¢`Ý;UBÄôK A³ÝJpMÛ(`B`BUìUEÈÒt ÆAêu÷]ÃUìd¡0ì@SVWxé§G03ö_,?EøB<}ôDxEðÀÁë3ÉÛt-}ø¾ÁÎ <aUø\| ÂÀàðëuøA;ËrßUü}ôEðL3ÛD ÂMìÉt<3ÿÊÀMøÑEè ÁÏ ¾ÁøBÉuñUü}øEø}ôÆ;Et EèC;]ìrÄWUüÒKÿÿÿ3À_^[ÉÂuðD$X·DÂëÝUìì¼ESVWXhLw&M ]¸èèþÿÿðÇEÄkern3ÀÇEÈel32EÐEÞEÄPÇEÌ.dllÇEàntdlÇEäl.dlfÇEèlÇEÔuserÇEØ32.dfÇEÜllfÇEø1fÇEü2ÿÖEàPÿÖEÔPÿÖhX¤SåèyþÿÿhyÌ?EèlþÿÿhEVEôè_þÿÿhDð5àEÀèRþÿÿhî¶PE¤èEþÿÿhÆREè8þÿÿh_xTîEðè+þÿÿhÚöÚOEèþÿÿøhÆp}´èþÿÿh_»ðèþÿÿh-W®[E¼èöýÿÿE¬3ÀPhjPPhSE¨ÿ×jEìPÿÖ]ø}°jh0WjÿÓðötîjE¨PW}ìVWÿU¼WÿUð>M]¸tjEøPPjÿUÀÆEhà.ÿU¤3À}«jDj«««DÿÿÿPèTýÿÿÄÿu jhÿÿÿUE¼ÀuOEPDÿÿÿP3ÀPPPPPPPSÿUôÀ¯PPjPPh@SE¸ÿU´øjÿÿtE¸ë^EüPPjÿUÀéeìMìQPÿU}ìtoEPDÿÿÿP3ÀPPPPPPPSÿUôÀuOPPjPPh@SEÿU´øjÿÿt*EPÿu°VWÿU¬WÿUðEPDÿÿÿP3ÀPPPPPPPSÿUôë EüPPjÿUÀÆEÿu¼ÿUð}åþÿÿ_^[ÉÃ¸ÒAd base_address: 0x000d0000 process_identifier: 2308 process_handle: 0x0000023c	1	1
WriteProcessMemory March 28, 2023, 8:14 a.m.	buffer: base_address: 0x00206000 process_identifier: 2308 process_handle: 0x0000023c	1	1
WriteProcessMemory March 28, 2023, 8:14 a.m.	buffer: base_address: 0x00209000 process_identifier: 2308 process_handle: 0x0000023c	1	1
WriteProcessMemory March 28, 2023, 8:14 a.m.	buffer: 2/¾A:¹Ã#^År0ð!ât:ìE7ÎûÜÛê 5 W&w0Ñzk¶õ{à¢F¤ïa¼y1j¡ïÊý¸_!?E%ù¶Ç¤êÅ® ¼_ÜdóÛ@ðîÑñ;o0ë¢R©²sóôI(ó.®Ùo:&ã]1Â^fuìGÓÛÇêúOT¥q!QÆ`N,÷Üâ9÷õ¤¼ ~ß1ïÜªqK òG/µX· base_address: 0x0020b000 process_identifier: 2308 process_handle: 0x0000023c	1	1
WriteProcessMemory March 28, 2023, 8:14 a.m.	buffer: base_address: 0x7efde008 process_identifier: 2308 process_handle: 0x0000023c	1	1
NtResumeThread March 28, 2023, 8:14 a.m.	thread_handle: 0x00000264 suspend_count: 1 process_identifier: 2256	1	0
NtSetContextThread March 28, 2023, 8:14 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4220830 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000238 process_identifier: 2308	1	0
NtResumeThread March 28, 2023, 8:14 a.m.	thread_handle: 0x00000238 suspend_count: 1 process_identifier: 2308	1	0

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Bkav	W32.AIDetectNet.01
Lionic	Trojan.Win32.Stealer.12!c
DrWeb	Trojan.PackedNET.1923
MicroWorld-eScan	Trojan.GenericKD.66126362
FireEye	Generic.mg.53622e61772d39cd
ALYac	Gen:Variant.MSILHeracles.73214
Malwarebytes	Trojan.Crypt.MSIL
VIPRE	Gen:Variant.MSILHeracles.73214
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Trojan:MSIL/Kryptik.efb68c44
Arcabit	Trojan.MSILHeracles.D11DFE
BitDefenderTheta	Gen:NN.ZemsilF.36344.mm0@amVpWulG
Cyren	W32/MSIL_Agent.EZB.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Kryptik.AGWQ
Cynet	Malicious (score: 100)
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Spy.MSIL.Stealer.gen
BitDefender	Trojan.GenericKD.66126362
Avast	Win32:RATX-gen [Trj]
Tencent	Msil.Trojan.Dropper.Timw
Sophos	ML/PE-A
TrendMicro	TROJ_GEN.R002C0DCR23
McAfee-GW-Edition	Artemis!Trojan
Trapmine	malicious.moderate.ml.score
Emsisoft	Trojan.GenericKD.66126362 (B)
Ikarus	Trojan.MSIL.Inject
Webroot	W32.Trojan.Leonem
Avira	TR/Dropper.MSIL.Gen8
Gridinsoft	Trojan.Win32.WarzoneRAT.bot
Microsoft	Trojan:Win32/Leonem
GData	Trojan.GenericKD.66126362
Google	Detected
Acronis	suspicious
McAfee	Artemis!53622E61772D
MAX	malware (ai score=82)
Cylance	unsafe
TrendMicro-HouseCall	TROJ_GEN.R002C0DCR23
Rising	Malware.Obfus/MSIL@AI.98 (RDM.MSIL2:JwaJ7m2fDFnCSNi1kuruYA)
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.AEBO!tr
AVG	Win32:RATX-gen [Trj]
Panda	Trj/GdSda.A

wwa.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All