Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 26, 2023, 6:05 p.m.	April 26, 2023, 6:14 p.m.

Size	1.5MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`fffbb8afb4ca73ec2063d73427c847fe`
SHA256	`20e37644d93e86bec12b2c23abc6d0089ba83494189047f137fc19890c82d1fc`
CRC32	`5F256230`
ssdeep	`24576:kM1V4z/25AOA85FwMaUBrqSI9K4tQ5n3JT+PudCwoCgTpchMOoLKWVEYrWboB:kw755ABYTI2dwyMlTM8`
Yara	Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult NPKI_Zero - File included NPKI anti_vm_detect - Possibly employs anti-virtualization techniques Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description) PE_Header_Zero - PE File Signature

Hpzplthjq.exe "C:\Users\test22\AppData\Local\Temp\Hpzplthjq.exe"
2564
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANQAwAA==
  2680
- InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2056

Name	Response	Post-Analysis Lookup
api.telegram.org	A 149.154.167.220	149.154.167.220

IP Address	Status	Action
149.154.167.220	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2033966	ET HUNTING Telegram API Domain in DNS Lookup	Misc activity
TCP 149.154.167.220:443 -> 192.168.56.101:49164	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity
TCP 192.168.56.101:49164 -> 149.154.167.220:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49164 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity
TCP 192.168.56.101:49164 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 26, 2023, 6:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 26, 2023, 6:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 26, 2023, 6:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 26, 2023, 6:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 26, 2023, 6:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 26, 2023, 6:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 26, 2023, 6:05 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 26, 2023, 6:05 p.m.			0	0
IsDebuggerPresent April 26, 2023, 6:05 p.m.			0	0
IsDebuggerPresent April 26, 2023, 6:05 p.m.			0	0
IsDebuggerPresent April 26, 2023, 6:06 p.m.			0	0
IsDebuggerPresent April 26, 2023, 6:06 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (43 events)

Time & API	Arguments	Status	Return
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0062b1e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0062b1e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0062b360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057fa40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580440 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580440 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580440 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580440 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580440 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580440 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057f880 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057f880 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057f880 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580140 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005805c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005805c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005805c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005805c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005805c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005805c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005805c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005805c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005805c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005805c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005805c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005805c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005805c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005805c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 26, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 26, 2023, 6:05 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 204 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00710000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00840000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00480000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003be000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00da0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005fd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005fe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ff000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e4f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e73000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e74000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e75000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 6:05 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e76000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANQAwAA==
cmdline	powershell -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANQAwAA==

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW April 26, 2023, 6:05 p.m.	show_type: 0 filepath_r: powershell parameters: -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANQAwAA== filepath: powershell	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 26, 2023, 6:06 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 26, 2023, 6:06 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW April 26, 2023, 6:05 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory April 26, 2023, 6:06 p.m.	process_identifier: 2056 region_size: 286720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000494	1	0	0

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory April 26, 2023, 6:06 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÔÌºà0~N @ `@K @ H.textT\| ~ `.rsrc @@.reloc@@B base_address: 0x00400000 process_identifier: 2056 process_handle: 0x00000494	1	1
WriteProcessMemory April 26, 2023, 6:06 p.m.	buffer: P< base_address: 0x00444000 process_identifier: 2056 process_handle: 0x00000494	1	1
WriteProcessMemory April 26, 2023, 6:06 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2056 process_handle: 0x00000494	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory April 26, 2023, 6:06 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÔÌºà0~N @ `@K @ H.textT\| ~ `.rsrc @@.reloc@@B base_address: 0x00400000 process_identifier: 2056 process_handle: 0x00000494	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2564 called NtSetContextThread to modify thread in remote process 2056
NtSetContextThread April 26, 2023, 6:06 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4430926 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000350 process_identifier: 2056	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2564 resumed a thread in remote process 2056
NtResumeThread April 26, 2023, 6:06 p.m.	thread_handle: 0x00000350 suspend_count: 1 process_identifier: 2056	1	0	0

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

Lionic	Trojan.Win32.Stealer.12!c
Elastic	malicious (high confidence)
FireEye	Generic.mg.fffbb8afb4ca73ec
McAfee	Artemis!FFFBB8AFB4CA
Cylance	unsafe
CrowdStrike	win/malicious_confidence_90% (W)
BitDefenderTheta	Gen:NN.ZemsilCO.36164.Gn0@aOURwul
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik.AIRU
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan-Spy.MSIL.Stealer.gen
Avast	Win32:DropperX-gen [Drp]
Tencent	Msil.Trojan-Spy.Stealer.Ctgl
Sophos	Mal/Generic-S
DrWeb	Trojan.Inject4.30942
McAfee-GW-Edition	BehavesLike.Win32.Generic.th
Ikarus	Trojan-Spy.AgentTesla
Webroot	W32.Malware.Gen
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Stealer.gen
Google	Detected
Malwarebytes	Malware.AI.3223091315
Rising	Stealer.Agent!8.C2 (CLOUD)
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:DropperX-gen [Drp]
DeepInstinct	MALICIOUS

Executed a process and injected code into it, probably while unpacking (33 events)

Time & API	Arguments	Status	Return
NtResumeThread April 26, 2023, 6:05 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2564	1	0
NtResumeThread April 26, 2023, 6:05 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2564	1	0
NtResumeThread April 26, 2023, 6:05 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2564	1	0
NtResumeThread April 26, 2023, 6:05 p.m.	thread_handle: 0x0000020c suspend_count: 1 process_identifier: 2564	1	0
NtGetContextThread April 26, 2023, 6:05 p.m.	thread_handle: 0x000000e4	1	0
NtResumeThread April 26, 2023, 6:05 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2564	1	0
NtGetContextThread April 26, 2023, 6:05 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread April 26, 2023, 6:05 p.m.	thread_handle: 0x000000e4	1	0
NtResumeThread April 26, 2023, 6:05 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2564	1	0
NtGetContextThread April 26, 2023, 6:05 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread April 26, 2023, 6:05 p.m.	thread_handle: 0x000000e4	1	0
NtResumeThread April 26, 2023, 6:05 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2564	1	0
NtResumeThread April 26, 2023, 6:05 p.m.	thread_handle: 0x00000230 suspend_count: 1 process_identifier: 2564	1	0
CreateProcessInternalW April 26, 2023, 6:05 p.m.	thread_identifier: 2684 thread_handle: 0x0000038c process_identifier: 2680 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANQAwAA== filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000394	1	1
NtResumeThread April 26, 2023, 6:06 p.m.	thread_handle: 0x00000490 suspend_count: 1 process_identifier: 2564	1	0
CreateProcessInternalW April 26, 2023, 6:06 p.m.	thread_identifier: 1152 thread_handle: 0x00000350 process_identifier: 2056 current_directory: filepath: track: 1 command_line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000494	1	1
NtGetContextThread April 26, 2023, 6:06 p.m.	thread_handle: 0x00000350	1	0
NtAllocateVirtualMemory April 26, 2023, 6:06 p.m.	process_identifier: 2056 region_size: 286720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000494	1	0
WriteProcessMemory April 26, 2023, 6:06 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÔÌºà0~N @ `@K @ H.textT\| ~ `.rsrc @@.reloc@@B base_address: 0x00400000 process_identifier: 2056 process_handle: 0x00000494	1	1
WriteProcessMemory April 26, 2023, 6:06 p.m.	buffer: base_address: 0x00402000 process_identifier: 2056 process_handle: 0x00000494	1	1
WriteProcessMemory April 26, 2023, 6:06 p.m.	buffer: base_address: 0x0043a000 process_identifier: 2056 process_handle: 0x00000494	1	1
WriteProcessMemory April 26, 2023, 6:06 p.m.	buffer: P< base_address: 0x00444000 process_identifier: 2056 process_handle: 0x00000494	1	1
WriteProcessMemory April 26, 2023, 6:06 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2056 process_handle: 0x00000494	1	1
NtSetContextThread April 26, 2023, 6:06 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4430926 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000350 process_identifier: 2056	1	0
NtResumeThread April 26, 2023, 6:06 p.m.	thread_handle: 0x00000350 suspend_count: 1 process_identifier: 2056	1	0
NtResumeThread April 26, 2023, 6:05 p.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 2680	1	0
NtResumeThread April 26, 2023, 6:05 p.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 2680	1	0
NtResumeThread April 26, 2023, 6:05 p.m.	thread_handle: 0x00000444 suspend_count: 1 process_identifier: 2680	1	0
NtResumeThread April 26, 2023, 6:06 p.m.	thread_handle: 0x00000388 suspend_count: 1 process_identifier: 2680	1	0
NtResumeThread April 26, 2023, 6:06 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2056	1	0
NtResumeThread April 26, 2023, 6:06 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2056	1	0
NtResumeThread April 26, 2023, 6:06 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2056	1	0
NtResumeThread April 26, 2023, 6:06 p.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 2056	1	0

Hpzplthjq.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All