Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 26, 2023, 5:46 p.m.	May 26, 2023, 5:48 p.m.

Size	273.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`9e925b69e3dbb48c606de897284d31ae`
SHA256	`648cf8b93fa2f02344ef0ab1684a0e6cfb45b61a21f79890c5183e8068f6a1fa`
CRC32	`035626EF`
ssdeep	`3072:NJQHFFX6f+uKVWyxLvZ2RFIEtg6o5dqGDQSQmYI6Lw3VfsB75zk6By5kGl4TbqNC:YlFqfqxLARFN+8wGN5zk+yiVPnbM`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT PE_Header_Zero - PE File Signature IsPE32 - (no description)

IE_NET.exe "C:\Users\test22\AppData\Local\Temp\IE_NET.exe"
3012
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA==
  1368
- IE_NET.exe C:\Users\test22\AppData\Local\Temp\IE_NET.exe
  2516
  - IE_NET.exe C:\Users\test22\AppData\Local\Temp\IE_NET.exe /stext "C:\Users\test22\AppData\Local\Temp\zaybwlt"
    1968
  - IE_NET.exe C:\Users\test22\AppData\Local\Temp\IE_NET.exe /stext "C:\Users\test22\AppData\Local\Temp\juemxeduog"
    2528
  - IE_NET.exe C:\Users\test22\AppData\Local\Temp\IE_NET.exe /stext "C:\Users\test22\AppData\Local\Temp\mwjexwoocoekq"
    2480
  - IE_NET.exe C:\Users\test22\AppData\Local\Temp\IE_NET.exe /stext "C:\Users\test22\AppData\Local\Temp\glfwuvjapkidcazdwllamnuyibmowejrb"
    2988
  - IE_NET.exe C:\Users\test22\AppData\Local\Temp\IE_NET.exe /stext "C:\Users\test22\AppData\Local\Temp\qgkou"
    2780
  - IE_NET.exe C:\Users\test22\AppData\Local\Temp\IE_NET.exe /stext "C:\Users\test22\AppData\Local\Temp\bixzvgev"
    832

Name	Response	Post-Analysis Lookup
divdemoce.duckdns.org	A 192.30.89.67	192.30.89.67
geoplugin.net	A 178.237.33.50	178.237.33.50
corpotechgroup.com	A 162.213.196.78	162.213.196.78

IP Address	Status	Action
162.213.196.78	Active	Moloch
164.124.101.2	Active	Moloch
178.237.33.50	Active	Moloch
192.30.89.67	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:62846 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.102:62846 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
TCP 192.168.56.102:49168 -> 192.30.89.67:35639	2036594	ET JA3 Hash - Remcos 3.x TLS Connection	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 192.30.89.67:35639	2036594	ET JA3 Hash - Remcos 3.x TLS Connection	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.102:49168 192.30.89.67:35639	None	None	None
TLS 1.3 192.168.56.102:49167 192.30.89.67:35639	None	None	None

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 26, 2023, 5:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 26, 2023, 5:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 26, 2023, 5:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 26, 2023, 5:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 26, 2023, 5:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 26, 2023, 5:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 26, 2023, 5:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 26, 2023, 5:47 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 26, 2023, 5:47 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 26, 2023, 5:47 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 26, 2023, 5:47 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 26, 2023, 5:47 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 26, 2023, 5:47 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 26, 2023, 5:46 p.m.			0	0
IsDebuggerPresent May 26, 2023, 5:46 p.m.			0	0
IsDebuggerPresent May 26, 2023, 5:46 p.m.			0	0
IsDebuggerPresent May 26, 2023, 5:47 p.m.			0	0
IsDebuggerPresent May 26, 2023, 5:47 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (44 events)

Time & API	Arguments	Status	Return
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005549f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005549f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00554878 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00554878 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695c48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695988 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695988 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695988 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695588 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695588 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695588 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695588 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695588 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695588 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695748 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695a48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695a48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695a48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695a48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695a48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695a48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695a48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695a48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695a48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695a48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695a48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695a48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695a48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00695a48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006951c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006951c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 26, 2023, 5:46 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET http://corpotechgroup.com/Wxdypod.png
suspicious_features	GET method with no useragent header				suspicious_request	GET http://geoplugin.net/json.gp

Connects to a Dynamic DNS Domain (1 event)

domain

divdemoce.duckdns.org

Performs some HTTP requests (2 events)

request	GET http://corpotechgroup.com/Wxdypod.png
request	GET http://geoplugin.net/json.gp

Allocates read-write-execute memory (usually to unpack itself) (50 out of 250 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00610000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00485000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00477000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70b92000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00476000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ee000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05060000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05061000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05062000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05063000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05064000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05065000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05066000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05067000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05068000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05069000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0506a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05360000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05361000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05362000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05363000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05364000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05365000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05366000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05367000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05368000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05369000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

IE_NET.exe tried to sleep 309 seconds, actually delayed analysis time by 309 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (8 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW May 26, 2023, 5:47 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 26, 2023, 5:47 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 26, 2023, 5:47 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 26, 2023, 5:47 p.m.	number_of_free_clusters: 2226278 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 26, 2023, 5:47 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 26, 2023, 5:47 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 26, 2023, 5:47 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 26, 2023, 5:47 p.m.	number_of_free_clusters: 2226196 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1

Steals private information from local Internet browsers (50 out of 66 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Floc\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Floc\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\MEIPreload\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Login Data

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	powershell -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA==
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA==

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 26, 2023, 5:46 p.m.	show_type: 0 filepath_r: powershell parameters: -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA== filepath: powershell	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (7 events)

Time & API	Arguments	Status	Return
Process32NextW May 26, 2023, 5:47 p.m.	snapshot_handle: 0x00000130 process_name: taskhost.exe process_identifier: 2824	1	1
Process32NextW May 26, 2023, 5:47 p.m.	snapshot_handle: 0x00000130 process_name: IE_NET.exe process_identifier: 1968	1	1
Process32NextW May 26, 2023, 5:47 p.m.	snapshot_handle: 0x00000130 process_name: cmd.exe process_identifier: 1328	1	1
Process32NextW May 26, 2023, 5:47 p.m.	snapshot_handle: 0x00000130 process_name: conhost.exe process_identifier: 2880	1	1
Process32NextW May 26, 2023, 5:47 p.m.	snapshot_handle: 0x00000130 process_name: pw.exe process_identifier: 2940	1	1
Process32NextW May 26, 2023, 5:47 p.m.	snapshot_handle: 0x00000130 process_name: IE_NET.exe process_identifier: 2988	1	1
Process32NextW May 26, 2023, 5:47 p.m.	snapshot_handle: 0x00000130 process_name: IE_NET.exe process_identifier: 2780	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 26, 2023, 5:46 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW May 26, 2023, 5:46 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 26, 2023, 5:46 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 26, 2023, 5:47 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 26, 2023, 5:47 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (50 out of 76 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Take ScreenShot	rule	ScreenShot
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	browser info stealer	rule	infoStealer_browser_Zero
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Run a KeyLogger	rule	KeyLogger
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags

Queries for potentially installed applications (2 events)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExA May 26, 2023, 5:47 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian		2	0
RegOpenKeyExA May 26, 2023, 5:47 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian		2	0

Uses Windows utilities for basic Windows functionality (7 events)

cmdline	C:\Users\test22\AppData\Local\Temp\IE_NET.exe /stext "C:\Users\test22\AppData\Local\Temp\zaybwlt"
cmdline	C:\Users\test22\AppData\Local\Temp\IE_NET.exe /stext "C:\Users\test22\AppData\Local\Temp\glfwuvjapkidcazdwllamnuyibmowejrb"
cmdline	C:\Users\test22\AppData\Local\Temp\IE_NET.exe /stext "C:\Users\test22\AppData\Local\Temp\bixzvgev"
cmdline	C:\Users\test22\AppData\Local\Temp\IE_NET.exe
cmdline	C:\Users\test22\AppData\Local\Temp\IE_NET.exe /stext "C:\Users\test22\AppData\Local\Temp\qgkou"
cmdline	C:\Users\test22\AppData\Local\Temp\IE_NET.exe /stext "C:\Users\test22\AppData\Local\Temp\mwjexwoocoekq"
cmdline	C:\Users\test22\AppData\Local\Temp\IE_NET.exe /stext "C:\Users\test22\AppData\Local\Temp\juemxeduog"

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 2516 region_size: 528384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004f8	1	0	0

Harvests information related to installed instant messenger clients (5 events)

file	C:\Users\test22\AppData\Roaming\Digsby\digsby.dat
file	C:\Users\test22\AppData\Roaming\MySpace\IM\users.txt
registry	HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords
registry	HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
registry	HKEY_CURRENT_USER\Software\Paltalk

Potential code injection by writing to the memory of another process (11 events)

Time & API	Arguments	Status	Return
WriteProcessMemory May 26, 2023, 5:46 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ì!¨ier¨ier¨ierõr»ierõrierõr¶ier¡ár©ier6É¢rªier7fs²ier7`sier7asier¡ör±ier¨idrher7lsÊier7r©ier7gs©ierRich¨ierPELP«kdàbr9@ÞÜJÐ; Â84ÃØÂ@Ì.textë`b `.rdata xzf@@.data\à@À.tls `î@À.gfids0pð@@.rsrcÜJLô@@.reloc;Ð<@@B base_address: 0x00400000 process_identifier: 2516 process_handle: 0x000004f8	1	1
WriteProcessMemory May 26, 2023, 5:46 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ÅEÈEÅE..G\G\G\G\G\G\G\G\G\GG`G`G`G`G`G`G`GGÿÿÿÿÈE¨G¨G¨G¨G¨GGËEÌEØÚEèGGCPSTPDT°GðGÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZGþÿÿÿþÿÿÿuÏ!tåa¾e¸Â¢z»^ âÈ¨3¶F¦<A¶FL?A¶Fk<AE.?AVtype_info@@E.?AVbad_alloc@std@@E.?AVbad_array_new_length@std@@E.?AVlogic_error@std@@E.?AVlength_error@std@@E.?AVout_of_range@std@@E.?AV_Facet_base@std@@E.?AV_Locimp@locale@std@@E.?AVfacet@locale@std@@E.?AU_Crt_new_delete@std@@E.?AVcodecvt_base@std@@E.?AUctype_base@std@@E.?AV?$ctype@D@std@@E.?AV?$codecvt@DDU_Mbstatet@@@std@@E.?AVbad_exception@std@@E.HE.?AVfailure@ios_base@std@@E.?AVruntime_error@std@@E.?AVsystem_error@std@@E.?AVbad_cast@std@@E.?AV_System_error@std@@E.?AVexception@std@@ base_address: 0x00470000 process_identifier: 2516 process_handle: 0x000004f8	1	1
WriteProcessMemory May 26, 2023, 5:46 p.m.	buffer: base_address: 0x00476000 process_identifier: 2516 process_handle: 0x000004f8	1	1
WriteProcessMemory May 26, 2023, 5:46 p.m.	buffer: Ò·>,/F/>/>)ß>ÚáËuúqÎq/.êêÌGtG>>\|r{N//ßþ&ùõLùù°onr°X±¡Õn5w Ä¨ U\|Àq0¤R¼Z b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x00477000 process_identifier: 2516 process_handle: 0x000004f8	1	1
WriteProcessMemory May 26, 2023, 5:46 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2516 process_handle: 0x000004f8	1	1
WriteProcessMemory May 26, 2023, 5:47 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1968 process_handle: 0x000002d0	1	1
WriteProcessMemory May 26, 2023, 5:47 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2528 process_handle: 0x000002d0	1	1
WriteProcessMemory May 26, 2023, 5:47 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2480 process_handle: 0x000002d0	1	1
WriteProcessMemory May 26, 2023, 5:47 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2988 process_handle: 0x000002d0	1	1
WriteProcessMemory May 26, 2023, 5:47 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2780 process_handle: 0x000002d0	1	1
WriteProcessMemory May 26, 2023, 5:47 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 832 process_handle: 0x000002d0	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory May 26, 2023, 5:46 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ì!¨ier¨ier¨ierõr»ierõrierõr¶ier¡ár©ier6É¢rªier7fs²ier7`sier7asier¡ör±ier¨idrher7lsÊier7r©ier7gs©ierRich¨ierPELP«kdàbr9@ÞÜJÐ; Â84ÃØÂ@Ì.textë`b `.rdata xzf@@.data\à@À.tls `î@À.gfids0pð@@.rsrcÜJLô@@.reloc;Ð<@@B base_address: 0x00400000 process_identifier: 2516 process_handle: 0x000004f8	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA May 26, 2023, 5:47 p.m.	thread_identifier: 0 callback_function: 0x0040995a hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	852207	0

Harvests credentials from local email clients (6 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
registry	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird
registry	HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (14 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3012 called NtSetContextThread to modify thread in remote process 2516
Process injection	Process 2516 called NtSetContextThread to modify thread in remote process 1968
Process injection	Process 2516 called NtSetContextThread to modify thread in remote process 2528
Process injection	Process 2516 called NtSetContextThread to modify thread in remote process 2480
Process injection	Process 2516 called NtSetContextThread to modify thread in remote process 2988
Process injection	Process 2516 called NtSetContextThread to modify thread in remote process 2780
Process injection	Process 2516 called NtSetContextThread to modify thread in remote process 832
NtSetContextThread May 26, 2023, 5:46 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4405618 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000558 process_identifier: 2516	1	0	0
NtSetContextThread May 26, 2023, 5:47 p.m.	registers.eip: 2001207748 registers.esp: 2948944 registers.edi: 0 registers.eax: 4678260 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001a8 process_identifier: 1968	1	0	0
NtSetContextThread May 26, 2023, 5:47 p.m.	registers.eip: 2001207748 registers.esp: 4061408 registers.edi: 0 registers.eax: 4543032 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001a8 process_identifier: 2528	1	0	0
NtSetContextThread May 26, 2023, 5:47 p.m.	registers.eip: 2001207748 registers.esp: 2292720 registers.edi: 0 registers.eax: 4334086 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001a8 process_identifier: 2480	1	0	0
NtSetContextThread May 26, 2023, 5:47 p.m.	registers.eip: 2001207748 registers.esp: 3799968 registers.edi: 0 registers.eax: 4678260 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001a8 process_identifier: 2988	1	0	0
NtSetContextThread May 26, 2023, 5:47 p.m.	registers.eip: 2001207748 registers.esp: 2359192 registers.edi: 0 registers.eax: 4543032 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001a8 process_identifier: 2780	1	0	0
NtSetContextThread May 26, 2023, 5:47 p.m.	registers.eip: 2001207748 registers.esp: 2752200 registers.edi: 0 registers.eax: 4334086 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001a8 process_identifier: 832	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (14 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3012 resumed a thread in remote process 2516
Process injection	Process 2516 resumed a thread in remote process 1968
Process injection	Process 2516 resumed a thread in remote process 2528
Process injection	Process 2516 resumed a thread in remote process 2480
Process injection	Process 2516 resumed a thread in remote process 2988
Process injection	Process 2516 resumed a thread in remote process 2780
Process injection	Process 2516 resumed a thread in remote process 832
NtResumeThread May 26, 2023, 5:46 p.m.	thread_handle: 0x00000558 suspend_count: 1 process_identifier: 2516	1	0	0
NtResumeThread May 26, 2023, 5:47 p.m.	thread_handle: 0x000001a8 suspend_count: 1 process_identifier: 1968	1	0	0
NtResumeThread May 26, 2023, 5:47 p.m.	thread_handle: 0x000001a8 suspend_count: 1 process_identifier: 2528	1	0	0
NtResumeThread May 26, 2023, 5:47 p.m.	thread_handle: 0x000001a8 suspend_count: 1 process_identifier: 2480	1	0	0
NtResumeThread May 26, 2023, 5:47 p.m.	thread_handle: 0x000001a8 suspend_count: 1 process_identifier: 2988	1	0	0
NtResumeThread May 26, 2023, 5:47 p.m.	thread_handle: 0x000001a8 suspend_count: 1 process_identifier: 2780	1	0	0
NtResumeThread May 26, 2023, 5:47 p.m.	thread_handle: 0x000001a8 suspend_count: 1 process_identifier: 832	1	0	0

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

tehtris	Generic.Malware
Malwarebytes	Generic.Malware/Suspicious
Sangfor	Trojan.Msil.Agent.Vf0c
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	MSIL.Downloader!gen7
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	UDS:Backdoor.MSIL.Remcos.gen
Avast	Win32:RansomX-gen [Ransom]
F-Secure	Heuristic.HEUR/AGEN.1323343
McAfee-GW-Edition	BehavesLike.Win32.Generic.dm
Trapmine	suspicious.low.ml.score
Ikarus	Trojan.MSIL.Inject
Avira	HEUR/AGEN.1323343
Microsoft	Trojan:Win32/Woreflint.A!cl
ZoneAlarm	UDS:Backdoor.MSIL.Remcos.gen
Google	Detected
McAfee	Artemis!9E925B69E3DB
VBA32	Downloader.MSIL.gen.rexp
Rising	Trojan.Kryptik!8.8 (CLOUD)
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.300983.susgen
BitDefenderTheta	Gen:NN.ZemsilF.36196.rm0@aKV!c4j
AVG	Win32:RansomX-gen [Ransom]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_70% (D)

Executed a process and injected code into it, probably while unpacking (50 out of 73 events)

Time & API	Arguments	Status	Return
NtResumeThread May 26, 2023, 5:46 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 3012	1	0
NtResumeThread May 26, 2023, 5:46 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 3012	1	0
NtResumeThread May 26, 2023, 5:46 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 3012	1	0
NtResumeThread May 26, 2023, 5:46 p.m.	thread_handle: 0x00000378 suspend_count: 1 process_identifier: 3012	1	0
NtResumeThread May 26, 2023, 5:46 p.m.	thread_handle: 0x000003e8 suspend_count: 1 process_identifier: 3012	1	0
NtGetContextThread May 26, 2023, 5:46 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread May 26, 2023, 5:46 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread May 26, 2023, 5:46 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 3012	1	0
CreateProcessInternalW May 26, 2023, 5:46 p.m.	thread_identifier: 1184 thread_handle: 0x00000554 process_identifier: 1368 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA== filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000055c	1	1
CreateProcessInternalW May 26, 2023, 5:46 p.m.	thread_identifier: 1568 thread_handle: 0x00000558 process_identifier: 2516 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IE_NET.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000004f8	1	1
NtGetContextThread May 26, 2023, 5:46 p.m.	thread_handle: 0x00000558	1	0
NtAllocateVirtualMemory May 26, 2023, 5:46 p.m.	process_identifier: 2516 region_size: 528384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004f8	1	0
WriteProcessMemory May 26, 2023, 5:46 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ì!¨ier¨ier¨ierõr»ierõrierõr¶ier¡ár©ier6É¢rªier7fs²ier7`sier7asier¡ör±ier¨idrher7lsÊier7r©ier7gs©ierRich¨ierPELP«kdàbr9@ÞÜJÐ; Â84ÃØÂ@Ì.textë`b `.rdata xzf@@.data\à@À.tls `î@À.gfids0pð@@.rsrcÜJLô@@.reloc;Ð<@@B base_address: 0x00400000 process_identifier: 2516 process_handle: 0x000004f8	1	1
WriteProcessMemory May 26, 2023, 5:46 p.m.	buffer: base_address: 0x00401000 process_identifier: 2516 process_handle: 0x000004f8	1	1
WriteProcessMemory May 26, 2023, 5:46 p.m.	buffer: base_address: 0x00458000 process_identifier: 2516 process_handle: 0x000004f8	1	1
WriteProcessMemory May 26, 2023, 5:46 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ÅEÈEÅE..G\G\G\G\G\G\G\G\G\GG`G`G`G`G`G`G`GGÿÿÿÿÈE¨G¨G¨G¨G¨GGËEÌEØÚEèGGCPSTPDT°GðGÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZGþÿÿÿþÿÿÿuÏ!tåa¾e¸Â¢z»^ âÈ¨3¶F¦<A¶FL?A¶Fk<AE.?AVtype_info@@E.?AVbad_alloc@std@@E.?AVbad_array_new_length@std@@E.?AVlogic_error@std@@E.?AVlength_error@std@@E.?AVout_of_range@std@@E.?AV_Facet_base@std@@E.?AV_Locimp@locale@std@@E.?AVfacet@locale@std@@E.?AU_Crt_new_delete@std@@E.?AVcodecvt_base@std@@E.?AUctype_base@std@@E.?AV?$ctype@D@std@@E.?AV?$codecvt@DDU_Mbstatet@@@std@@E.?AVbad_exception@std@@E.HE.?AVfailure@ios_base@std@@E.?AVruntime_error@std@@E.?AVsystem_error@std@@E.?AVbad_cast@std@@E.?AV_System_error@std@@E.?AVexception@std@@ base_address: 0x00470000 process_identifier: 2516 process_handle: 0x000004f8	1	1
WriteProcessMemory May 26, 2023, 5:46 p.m.	buffer: base_address: 0x00476000 process_identifier: 2516 process_handle: 0x000004f8	1	1
WriteProcessMemory May 26, 2023, 5:46 p.m.	buffer: Ò·>,/F/>/>)ß>ÚáËuúqÎq/.êêÌGtG>>\|r{N//ßþ&ùõLùù°onr°X±¡Õn5w Ä¨ U\|Àq0¤R¼Z b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x00477000 process_identifier: 2516 process_handle: 0x000004f8	1	1
WriteProcessMemory May 26, 2023, 5:46 p.m.	buffer: base_address: 0x00478000 process_identifier: 2516 process_handle: 0x000004f8	1	1
WriteProcessMemory May 26, 2023, 5:46 p.m.	buffer: base_address: 0x0047d000 process_identifier: 2516 process_handle: 0x000004f8	1	1
WriteProcessMemory May 26, 2023, 5:46 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2516 process_handle: 0x000004f8	1	1
NtSetContextThread May 26, 2023, 5:46 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4405618 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000558 process_identifier: 2516	1	0
NtResumeThread May 26, 2023, 5:46 p.m.	thread_handle: 0x00000558 suspend_count: 1 process_identifier: 2516	1	0
NtResumeThread May 26, 2023, 5:46 p.m.	thread_handle: 0x00000298 suspend_count: 1 process_identifier: 1368	1	0
NtResumeThread May 26, 2023, 5:46 p.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 1368	1	0
NtResumeThread May 26, 2023, 5:46 p.m.	thread_handle: 0x00000438 suspend_count: 1 process_identifier: 1368	1	0
NtResumeThread May 26, 2023, 5:46 p.m.	thread_handle: 0x00000484 suspend_count: 1 process_identifier: 1368	1	0
CreateProcessInternalW May 26, 2023, 5:47 p.m.	thread_identifier: 1220 thread_handle: 0x000001a8 process_identifier: 1968 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IE_NET.exe /stext "C:\Users\test22\AppData\Local\Temp\zaybwlt" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002d0	1	1
NtGetContextThread May 26, 2023, 5:47 p.m.	thread_handle: 0x000001a8	1	0
NtUnmapViewOfSection May 26, 2023, 5:47 p.m.	base_address: 0x00400000 region_size: 14876672 process_identifier: 1968 process_handle: 0x000002d0		3221225497
NtMapViewOfSection May 26, 2023, 5:47 p.m.	section_handle: 0x00000344 process_identifier: 1968 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: base_address: 0x00400000 allocation_type: 0 () section_offset: 0 view_size: 491520 process_handle: 0x000002d0	1	0
WriteProcessMemory May 26, 2023, 5:47 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1968 process_handle: 0x000002d0	1	1
NtSetContextThread May 26, 2023, 5:47 p.m.	registers.eip: 2001207748 registers.esp: 2948944 registers.edi: 0 registers.eax: 4678260 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001a8 process_identifier: 1968	1	0
NtResumeThread May 26, 2023, 5:47 p.m.	thread_handle: 0x000001a8 suspend_count: 1 process_identifier: 1968	1	0
CreateProcessInternalW May 26, 2023, 5:47 p.m.	thread_identifier: 2128 thread_handle: 0x000001a8 process_identifier: 2528 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IE_NET.exe /stext "C:\Users\test22\AppData\Local\Temp\juemxeduog" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002d0	1	1
NtGetContextThread May 26, 2023, 5:47 p.m.	thread_handle: 0x000001a8	1	0
NtUnmapViewOfSection May 26, 2023, 5:47 p.m.	base_address: 0x00400000 region_size: 14876672 process_identifier: 2528 process_handle: 0x000002d0		3221225497
NtMapViewOfSection May 26, 2023, 5:47 p.m.	section_handle: 0x00000330 process_identifier: 2528 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: base_address: 0x00400000 allocation_type: 0 () section_offset: 0 view_size: 356352 process_handle: 0x000002d0	1	0
WriteProcessMemory May 26, 2023, 5:47 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2528 process_handle: 0x000002d0	1	1
NtSetContextThread May 26, 2023, 5:47 p.m.	registers.eip: 2001207748 registers.esp: 4061408 registers.edi: 0 registers.eax: 4543032 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001a8 process_identifier: 2528	1	0
NtResumeThread May 26, 2023, 5:47 p.m.	thread_handle: 0x000001a8 suspend_count: 1 process_identifier: 2528	1	0
CreateProcessInternalW May 26, 2023, 5:47 p.m.	thread_identifier: 2492 thread_handle: 0x000001a8 process_identifier: 2480 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IE_NET.exe /stext "C:\Users\test22\AppData\Local\Temp\mwjexwoocoekq" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002d0	1	1
NtGetContextThread May 26, 2023, 5:47 p.m.	thread_handle: 0x000001a8	1	0
NtUnmapViewOfSection May 26, 2023, 5:47 p.m.	base_address: 0x00400000 region_size: 14876672 process_identifier: 2480 process_handle: 0x000002d0		3221225497
NtMapViewOfSection May 26, 2023, 5:47 p.m.	section_handle: 0x0000034c process_identifier: 2480 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: base_address: 0x00400000 allocation_type: 0 () section_offset: 0 view_size: 147456 process_handle: 0x000002d0	1	0
WriteProcessMemory May 26, 2023, 5:47 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2480 process_handle: 0x000002d0	1	1
NtSetContextThread May 26, 2023, 5:47 p.m.	registers.eip: 2001207748 registers.esp: 2292720 registers.edi: 0 registers.eax: 4334086 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001a8 process_identifier: 2480	1	0
NtResumeThread May 26, 2023, 5:47 p.m.	thread_handle: 0x000001a8 suspend_count: 1 process_identifier: 2480	1	0
CreateProcessInternalW May 26, 2023, 5:47 p.m.	thread_identifier: 2984 thread_handle: 0x000001a8 process_identifier: 2988 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IE_NET.exe /stext "C:\Users\test22\AppData\Local\Temp\glfwuvjapkidcazdwllamnuyibmowejrb" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002d0	1	1
NtGetContextThread May 26, 2023, 5:47 p.m.	thread_handle: 0x000001a8	1	0

IE_NET.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All