Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 11, 2023, 10:51 p.m.	June 11, 2023, 11:33 p.m.

Size	4.0MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`d86704134f65f0ebe87032f76864db5a`
SHA256	`9e57ccd47600e2e5483b7464549bad124f2f529f09ad29a570f4e583a3355968`
CRC32	`54D01173`
ssdeep	`98304:XJs06Eg5LkheKEdyvea5ZUt9WnZQ+1yzmp8PN:XJq5cdQXCYSpS`
Yara	UPX_Zero - UPX packed file Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description)

FineC0de.exe "C:\Users\test22\AppData\Local\Temp\FineC0de.exe"
1952
- FineC0de.exe "C:\Users\test22\AppData\Local\Temp\FineC0de.exe"
  2444

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
5.42.64.41	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49168 -> 5.42.64.41:1337	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49168 -> 5.42.64.41:1337	2044303	ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49171 -> 5.42.64.41:1337	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49171 -> 5.42.64.41:1337	2044305	ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 5.42.64.41:1337 -> 192.168.56.103:49168	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	A Network Trojan was detected
TCP 5.42.64.41:1337 -> 192.168.56.103:49171	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 5.42.64.41:1337	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49172 -> 5.42.64.41:1337	2044306	ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 5.42.64.41:1337 -> 192.168.56.103:49172	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 5.42.64.41:1337	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 5.42.64.41:1337 -> 192.168.56.103:49169	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	A Network Trojan was detected
TCP 192.168.56.103:49170 -> 5.42.64.41:1337	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49170 -> 5.42.64.41:1337	2044302	ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 5.42.64.41:1337 -> 192.168.56.103:49170	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	A Network Trojan was detected
TCP 192.168.56.103:49173 -> 5.42.64.41:1337	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 5.42.64.41:1337	2044301	ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 5.42.64.41:1337 -> 192.168.56.103:49173	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	A Network Trojan was detected
TCP 5.42.64.41:1337 -> 192.168.56.103:49168	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 5.42.64.41:1337 -> 192.168.56.103:49168	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	A Network Trojan was detected
TCP 5.42.64.41:1337 -> 192.168.56.103:49168	2022053	ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2	A Network Trojan was detected
TCP 5.42.64.41:1337 -> 192.168.56.103:49172	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 5.42.64.41:1337 -> 192.168.56.103:49172	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	A Network Trojan was detected
TCP 5.42.64.41:1337 -> 192.168.56.103:49172	2022053	ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2	A Network Trojan was detected
TCP 5.42.64.41:1337 -> 192.168.56.103:49173	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 5.42.64.41:1337 -> 192.168.56.103:49173	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	A Network Trojan was detected
TCP 5.42.64.41:1337 -> 192.168.56.103:49173	2022053	ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2	A Network Trojan was detected
TCP 5.42.64.41:1337 -> 192.168.56.103:49169	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 5.42.64.41:1337 -> 192.168.56.103:49169	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	A Network Trojan was detected
TCP 5.42.64.41:1337 -> 192.168.56.103:49169	2022053	ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2	A Network Trojan was detected
TCP 5.42.64.41:1337 -> 192.168.56.103:49170	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 5.42.64.41:1337 -> 192.168.56.103:49170	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	A Network Trojan was detected
TCP 5.42.64.41:1337 -> 192.168.56.103:49170	2022053	ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2	A Network Trojan was detected
TCP 5.42.64.41:1337 -> 192.168.56.103:49171	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 5.42.64.41:1337 -> 192.168.56.103:49171	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	A Network Trojan was detected
TCP 5.42.64.41:1337 -> 192.168.56.103:49171	2022053	ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 11, 2023, 10:20 p.m.			0	0
IsDebuggerPresent June 11, 2023, 10:20 p.m.			0	0
IsDebuggerPresent June 11, 2023, 10:21 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 11, 2023, 10:20 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (21 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 11, 2023, 10:20 p.m.	process_identifier: 1952 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2023, 10:20 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 11, 2023, 10:20 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 11, 2023, 10:20 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2023, 10:20 p.m.	process_identifier: 1952 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2023, 10:20 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2023, 10:20 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2023, 10:20 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2023, 10:20 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2023, 10:20 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2023, 10:20 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2023, 10:20 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2023, 10:20 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2023, 10:20 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2023, 10:20 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2023, 10:20 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2023, 10:20 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0099f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2023, 10:20 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00990000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2023, 10:20 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00981000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2023, 10:20 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2023, 10:21 p.m.	process_identifier: 1952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00982000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Local\Temp\nss3.dll
file	C:\Users\test22\AppData\Local\Temp\mozglue.dll
file	C:\Users\test22\AppData\Local\Temp\sqlite3.dll
file	C:\Users\test22\AppData\Local\Temp\softokn3.dll
file	C:\Users\test22\AppData\Local\Temp\freebl3.dll
file	C:\Users\test22\AppData\Local\Temp\libcrypto.dll

An executable file was downloaded by the process finec0de.exe (6 events)

Time & API	Arguments	Status	Return
recv June 11, 2023, 10:21 p.m.	buffer: HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sun, 11 Jun 2023 14:32:16 GMT Content-Type: application/octet-stream Content-Length: 685472 Connection: keep-alive vary: Origin access-control-allow-credentials: true access-control-expose-headers: Content-Type, Authorization accept-ranges: bytes cache-control: public, max-age=0 last-modified: Fri, 27 Jan 2023 19:52:42 GMT etag: W/"a75a0-185f4ca1310" MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL.%Ôcà"!6 à Ç@A, Sk, ´ xL )° X$d& 0 X. 8.text¿ `.rdata<0@@.data<F@ @À.00cfg @@.rsrcx " @@.relocX$° && @B received: 1024 socket: 696	1	1024
recv June 11, 2023, 10:21 p.m.	buffer: HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sun, 11 Jun 2023 14:32:17 GMT Content-Type: application/octet-stream Content-Length: 2519552 Connection: keep-alive vary: Origin access-control-allow-credentials: true access-control-expose-headers: Content-Type, Authorization accept-ranges: bytes cache-control: public, max-age=0 last-modified: Sat, 09 Jul 2022 00:05:20 GMT etag: W/"267200-181e0466a00" MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $õ2qÃ\"Ã\"Ã\"ÊìÏ"×\"Âù]#Á\"ÂùY#È\"ÂùX#É\"Âù_#É\"ü]#È\"Ã]"X\"Ã\"Õ\"ùX#¶\"ù\#Â\"ù£"Â\"ù^#Â\"RichÃ\"PELwç]à!Dn H`ð&@Ð÷"fÅ%Tð%\|&ÈÏÐÛ"8Ü"@À%.text£BD `.rdataTþ` H@@.dataØY received: 1024 socket: 780	1	1024
recv June 11, 2023, 10:21 p.m.	buffer: HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sun, 11 Jun 2023 14:32:17 GMT Content-Type: application/octet-stream Content-Length: 599456 Connection: keep-alive vary: Origin access-control-allow-credentials: true access-control-expose-headers: Content-Type, Authorization accept-ranges: bytes cache-control: public, max-age=0 last-modified: Fri, 27 Jan 2023 19:52:42 GMT etag: W/"925a0-185f4ca1310" MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELò$Ôcà"!hª` n @AÅ4[Æ, °ü ) BL'Êh àì¨/.textá `.rdataô @@.datahÀ¦@À.00cfgàª@@.tlsð¬@À.rsrc° ®@@.relo received: 1024 socket: 788	1	1024
recv June 11, 2023, 10:21 p.m.	buffer: HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sun, 11 Jun 2023 14:32:18 GMT Content-Type: application/octet-stream Content-Length: 2044832 Connection: keep-alive vary: Origin access-control-allow-credentials: true access-control-expose-headers: Content-Type, Authorization accept-ranges: bytes cache-control: public, max-age=0 last-modified: Fri, 27 Jan 2023 19:52:42 GMT etag: W/"1f33a0-185f4ca1310" MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL%Ôcà"!Ú,ppáä@A &úÄ@Px )`ìtð 0ÊT<&@.textyÙÚ `.rdataôîððÞ@@.dataDRà.Î@À.00cfg@ü@@.rsrcxPþ@@.relocì`@B received: 1024 socket: 696	1	1024
recv June 11, 2023, 10:21 p.m.	buffer: HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sun, 11 Jun 2023 14:32:19 GMT Content-Type: application/octet-stream Content-Length: 256416 Connection: keep-alive vary: Origin access-control-allow-credentials: true access-control-expose-headers: Content-Type, Authorization accept-ranges: bytes cache-control: public, max-age=0 last-modified: Fri, 27 Jan 2023 19:52:42 GMT etag: W/"3e9a0-185f4ca1310" MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL-%Ôcà"!Ìð0Î*@ADvSwð°À )À°58qà {.textÊÌ `.rdataÔ«à¬Ð@@.data\|@À.00cfg @@.rsrc°@@.reloc°5À6@B received: 1024 socket: 780	1	1024
recv June 11, 2023, 10:21 p.m.	buffer: HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sun, 11 Jun 2023 14:32:19 GMT Content-Type: application/octet-stream Content-Length: 1105974 Connection: keep-alive vary: Origin access-control-allow-credentials: true access-control-expose-headers: Content-Type, Authorization accept-ranges: bytes cache-control: public, max-age=0 last-modified: Thu, 07 Jul 2022 00:48:04 GMT etag: W/"10e036-181d620d1a0" MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÇ(·b¿à!" @àa07 Ð* Ð0 ¨@ (< Ð.textT!"`P`.data\|'@((@`À.rdatapDpFP@`@.bss(À`À.edata*Ð,@0@.idataÐ Â received: 1024 socket: 784	1	1024

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x003ffa00', u'virtual_address': u'0x00002000', u'entropy': 7.999315816991094, u'name': u'.text', u'virtual_size': u'0x003ff9f3'}

entropy

7.99931581699

description

A section with a high entropy has been found

entropy

0.995502066618

description

Overall entropy of this PE file is high

Yara rule detected in process memory (13 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Take ScreenShot	rule	ScreenShot

Communicates with host for which no DNS query was performed (1 event)

host

5.42.64.41

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 11, 2023, 10:21 p.m.	process_identifier: 2444 region_size: 307200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000264		3221225496	0
NtAllocateVirtualMemory June 11, 2023, 10:21 p.m.	process_identifier: 2444 region_size: 307200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000264	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 11, 2023, 10:21 p.m.	buffer: MZÿÿ@@´LÍ!¸rÁä6 e·6 e·6 e·åÒf¶8 e·åÒ`¶ e·åÒa¶ e·åÒd¶5 e·6 d· e·Üa¶' e·Üf¶ e·Ü`¶d e·ïÝl¶# e·ïÝg¶7 e·Rich6 e·PEL@dà#&Nv@@°@'(%Ð@@.textF$& `.rdata<ð@ò*@@.data05@@À.reloc%&,@B base_address: 0x004c0000 process_identifier: 2444 process_handle: 0x00000264	1	1	0
WriteProcessMemory June 11, 2023, 10:21 p.m.	buffer: L base_address: 0x7efde008 process_identifier: 2444 process_handle: 0x00000264	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 11, 2023, 10:21 p.m.	buffer: MZÿÿ@@´LÍ!¸rÁä6 e·6 e·6 e·åÒf¶8 e·åÒ`¶ e·åÒa¶ e·åÒd¶5 e·6 d· e·Üa¶' e·Üf¶ e·Ü`¶d e·ïÝl¶# e·ïÝg¶7 e·Rich6 e·PEL@dà#&Nv@@°@'(%Ð@@.textF$& `.rdata<ð@ò*@@.data05@@À.reloc%&,@B base_address: 0x004c0000 process_identifier: 2444 process_handle: 0x00000264	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1952 called NtSetContextThread to modify thread in remote process 2444
NtSetContextThread June 11, 2023, 10:21 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4290048 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000260 process_identifier: 2444	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1952 resumed a thread in remote process 2444
NtResumeThread June 11, 2023, 10:21 p.m.	thread_handle: 0x00000260 suspend_count: 1 process_identifier: 2444	1	0	0

Executed a process and injected code into it, probably while unpacking (15 events)

Time & API	Arguments	Status	Return
NtResumeThread June 11, 2023, 10:20 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 1952	1	0
NtResumeThread June 11, 2023, 10:20 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 1952	1	0
NtResumeThread June 11, 2023, 10:20 p.m.	thread_handle: 0x0000019c suspend_count: 1 process_identifier: 1952	1	0
CreateProcessInternalW June 11, 2023, 10:21 p.m.	thread_identifier: 2448 thread_handle: 0x00000260 process_identifier: 2444 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\FineC0de.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\FineC0de.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\FineC0de.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000264	1	1
NtGetContextThread June 11, 2023, 10:21 p.m.	thread_handle: 0x00000260	1	0
NtAllocateVirtualMemory June 11, 2023, 10:21 p.m.	process_identifier: 2444 region_size: 307200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000264		3221225496
NtAllocateVirtualMemory June 11, 2023, 10:21 p.m.	process_identifier: 2444 region_size: 307200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000264	1	0
WriteProcessMemory June 11, 2023, 10:21 p.m.	buffer: MZÿÿ@@´LÍ!¸rÁä6 e·6 e·6 e·åÒf¶8 e·åÒ`¶ e·åÒa¶ e·åÒd¶5 e·6 d· e·Üa¶' e·Üf¶ e·Ü`¶d e·ïÝl¶# e·ïÝg¶7 e·Rich6 e·PEL@dà#&Nv@@°@'(%Ð@@.textF$& `.rdata<ð@ò*@@.data05@@À.reloc%&,@B base_address: 0x004c0000 process_identifier: 2444 process_handle: 0x00000264	1	1
WriteProcessMemory June 11, 2023, 10:21 p.m.	buffer: base_address: 0x004c1000 process_identifier: 2444 process_handle: 0x00000264	1	1
WriteProcessMemory June 11, 2023, 10:21 p.m.	buffer: base_address: 0x004f4000 process_identifier: 2444 process_handle: 0x00000264	1	1
WriteProcessMemory June 11, 2023, 10:21 p.m.	buffer: base_address: 0x00504000 process_identifier: 2444 process_handle: 0x00000264	1	1
WriteProcessMemory June 11, 2023, 10:21 p.m.	buffer: base_address: 0x00508000 process_identifier: 2444 process_handle: 0x00000264	1	1
WriteProcessMemory June 11, 2023, 10:21 p.m.	buffer: L base_address: 0x7efde008 process_identifier: 2444 process_handle: 0x00000264	1	1
NtSetContextThread June 11, 2023, 10:21 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4290048 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000260 process_identifier: 2444	1	0
NtResumeThread June 11, 2023, 10:21 p.m.	thread_handle: 0x00000260 suspend_count: 1 process_identifier: 2444	1	0

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Inject.1b!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.67448395
ALYac	Trojan.GenericKD.67448395
Cylance	unsafe
Sangfor	Suspicious.Win32.Save.a
Alibaba	Trojan:MSIL/Kryptik.b74a1f55
K7GW	Trojan ( 0059df7d1 )
CrowdStrike	win/malicious_confidence_100% (W)
Cyren	W32/MSIL_Kryptik.JLT.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik.AHUA
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan.MSIL.Inject.gen
BitDefender	Trojan.GenericKD.67448395
Avast	Win32:RATX-gen [Trj]
Emsisoft	Trojan.GenericKD.67448395 (B)
F-Secure	Trojan.TR/Kryptik.njokw
VIPRE	Trojan.GenericKD.67448395
TrendMicro	Trojan.MSIL.INJECT.USPAXFA23
McAfee-GW-Edition	BehavesLike.Win32.Generic.rc
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.d86704134f65f0eb
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
GData	Trojan.GenericKD.67448395
Webroot	W32.Trojan.GenKD
Avira	TR/Kryptik.njokw
MAX	malware (ai score=89)
Antiy-AVL	Trojan/MSIL.Kryptik
Arcabit	Trojan.Generic.D4052E4B
Microsoft	Trojan:Win32/Casdet!rfn
Google	Detected
AhnLab-V3	Trojan/Win.Generic.C5439563
Acronis	suspicious
McAfee	Artemis!D86704134F65
Malwarebytes	Trojan.Crypt
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Trojan.MSIL.INJECT.USPAXFA23
Rising	Malware.Obfus/MSIL@AI.100 (RDM.MSIL2:NYslgDoWwU66V3isAg/4TQ)
Ikarus	Trojan.MSIL.Crypt
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.ADWG!tr
BitDefenderTheta	Gen:NN.ZemsilF.36250.@p0@amBFVpcG
AVG	Win32:RATX-gen [Trj]
Cybereason	malicious.83b8a3
DeepInstinct	MALICIOUS

FineC0de.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All