Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 5, 2023, 5:17 p.m.	July 5, 2023, 5:36 p.m.

Size	3.4MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`f5a0c42c6c223c05be08f3552ecf723e`
SHA256	`a57e1b10f18f7eac6214057a6ee22445d5c9355eeed2c842977445f0a143cca4`
CRC32	`906C684B`
ssdeep	`24576:HT4UKNetLBA+QfRwzzh+1NF0EbCGT0YdKFOTJByEky0QftW5m7KHlQb/9x/fKkdO:7fERw`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult PE_Header_Zero - PE File Signature anti_vm_detect - Possibly employs anti-virtualization techniques Is_DotNET_EXE - (no description) hide_executable_file - Hide executable file IsPE32 - (no description)

Qjhihl.exe "C:\Users\test22\AppData\Local\Temp\Qjhihl.exe"
880
- RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  2508

Name	Response	Post-Analysis Lookup
webband.com
kewlmail.com		63.251.106.25

IP Address	Status	Action
102.134.49.77	Active	Moloch
104.196.26.65	Active	Moloch
104.218.10.254	Active	Moloch
13.56.33.8	Active	Moloch
135.125.108.170	Active	Moloch
147.154.0.23	Active	Moloch
153.120.34.73	Active	Moloch
153.122.24.177	Active	Moloch
154.210.36.66	Active	Moloch
154.213.117.166	Active	Moloch
159.89.244.183	Active	Moloch
165.160.13.20	Active	Moloch
178.249.70.75	Active	Moloch
185.230.63.107	Active	Moloch
192.124.249.13	Active	Moloch
192.124.249.3	Active	Moloch
164.124.101.2	Active	Moloch
192.241.158.94	Active	Moloch
192.99.226.184	Active	Moloch
198.49.23.144	Active	Moloch
199.34.228.78	Active	Moloch
205.149.134.32	Active	Moloch
207.180.198.201	Active	Moloch
208.100.26.245	Active	Moloch
211.1.226.67	Active	Moloch
212.44.102.57	Active	Moloch
217.160.0.131	Active	Moloch
217.160.0.179	Active	Moloch
217.79.248.38	Active	Moloch
23.239.201.14	Active	Moloch
3.212.23.181	Active	Moloch
3.33.152.147	Active	Moloch
3.64.163.50	Active	Moloch
35.214.171.193	Active	Moloch
46.242.238.60	Active	Moloch
46.30.60.158	Active	Moloch
49.12.155.123	Active	Moloch
49.212.232.113	Active	Moloch
5.181.161.11	Active	Moloch
62.75.216.107	Active	Moloch
62.75.216.137	Active	Moloch
65.52.128.33	Active	Moloch
74.208.215.145	Active	Moloch
75.2.18.233	Active	Moloch
76.223.54.146	Active	Moloch
76.74.184.61	Active	Moloch
77.68.50.105	Active	Moloch
85.128.196.22	Active	Moloch
86.105.245.69	Active	Moloch
91.201.52.102	Active	Moloch
93.187.206.66	Active	Moloch
93.188.2.51	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 5, 2023, 5:17 p.m.			0	0
IsDebuggerPresent July 5, 2023, 5:17 p.m.			0	0
IsDebuggerPresent July 5, 2023, 5:17 p.m.			0	0
IsDebuggerPresent July 5, 2023, 5:17 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey July 5, 2023, 5:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00a72f20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00a72f20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00a73020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d88d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d88d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d8a18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 5, 2023, 5:17 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 187 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00800000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00840000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00612000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0062c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00645000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0064b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00647000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00636000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0061a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0063a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00637000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b43000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b44000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b45000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b46000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b47000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b48000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0062d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0062e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0062f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b4a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b77000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0062a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b78000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e34000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b79000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b7a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b7b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b7c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b7d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05510000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 61440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05511000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 5, 2023, 5:17 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW July 5, 2023, 5:17 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (50 out of 52 events)

host	102.134.49.77
host	104.196.26.65
host	104.218.10.254
host	13.56.33.8
host	135.125.108.170
host	147.154.0.23
host	153.120.34.73
host	153.122.24.177
host	154.210.36.66
host	154.213.117.166
host	159.89.244.183
host	165.160.13.20
host	178.249.70.75
host	185.230.63.107
host	192.124.249.13
host	192.124.249.3
host	164.124.101.2
host	192.241.158.94
host	192.99.226.184
host	198.49.23.144
host	199.34.228.78
host	205.149.134.32
host	207.180.198.201
host	208.100.26.245
host	211.1.226.67
host	212.44.102.57
host	217.160.0.131
host	217.160.0.179
host	217.79.248.38
host	23.239.201.14
host	3.212.23.181
host	3.33.152.147
host	3.64.163.50
host	35.214.171.193
host	46.242.238.60
host	46.30.60.158
host	49.12.155.123
host	49.212.232.113
host	5.181.161.11
host	62.75.216.107
host	62.75.216.137
host	65.52.128.33
host	74.208.215.145
host	75.2.18.233
host	76.223.54.146
host	76.74.184.61
host	77.68.50.105
host	85.128.196.22
host	86.105.245.69
host	91.201.52.102

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 2508 region_size: 679936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000234	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Osdojvi

reg_value

C:\Users\test22\AppData\Roaming\Osdojvi.exe

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory July 5, 2023, 5:17 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL©ªzÂà0è ®+ @ ` @\+O t@ @+ H.textØç è `.rsrct ê @@.reloc@ ð @B base_address: 0x00400000 process_identifier: 2508 process_handle: 0x00000234	1	1
WriteProcessMemory July 5, 2023, 5:17 p.m.	buffer: P8ht ää4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°DStringFileInfo 000004b0Comments"CompanyNameFileDescription0FileVersion1.0.0.0@InternalNameMqcxlmzbzwt.exe&LegalCopyrightLegalTrademarksHOriginalFilenameMqcxlmzbzwt.exe"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0# êï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x004a2000 process_identifier: 2508 process_handle: 0x00000234	1	1
WriteProcessMemory July 5, 2023, 5:17 p.m.	buffer: °; base_address: 0x004a4000 process_identifier: 2508 process_handle: 0x00000234	1	1
WriteProcessMemory July 5, 2023, 5:17 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2508 process_handle: 0x00000234	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 5, 2023, 5:17 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL©ªzÂà0è ®+ @ ` @\+O t@ @+ H.textØç è `.rsrct ê @@.reloc@ ð @B base_address: 0x00400000 process_identifier: 2508 process_handle: 0x00000234	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 880 called NtSetContextThread to modify thread in remote process 2508
NtSetContextThread July 5, 2023, 5:17 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4205486 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000240 process_identifier: 2508	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 880 resumed a thread in remote process 2508
NtResumeThread July 5, 2023, 5:17 p.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 2508	1	0	0

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (21 events)

Time & API	Arguments	Status	Return
NtResumeThread July 5, 2023, 5:17 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 880	1	0
NtResumeThread July 5, 2023, 5:17 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 880	1	0
NtResumeThread July 5, 2023, 5:17 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 880	1	0
NtResumeThread July 5, 2023, 5:17 p.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 880	1	0
NtGetContextThread July 5, 2023, 5:17 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread July 5, 2023, 5:17 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread July 5, 2023, 5:17 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 880	1	0
CreateProcessInternalW July 5, 2023, 5:17 p.m.	thread_identifier: 2512 thread_handle: 0x00000240 process_identifier: 2508 current_directory: filepath: track: 1 command_line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000234	1	1
NtGetContextThread July 5, 2023, 5:17 p.m.	thread_handle: 0x00000240	1	0
NtAllocateVirtualMemory July 5, 2023, 5:17 p.m.	process_identifier: 2508 region_size: 679936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000234	1	0
WriteProcessMemory July 5, 2023, 5:17 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL©ªzÂà0è ®+ @ ` @\+O t@ @+ H.textØç è `.rsrct ê @@.reloc@ ð @B base_address: 0x00400000 process_identifier: 2508 process_handle: 0x00000234	1	1
WriteProcessMemory July 5, 2023, 5:17 p.m.	buffer: base_address: 0x00402000 process_identifier: 2508 process_handle: 0x00000234	1	1
WriteProcessMemory July 5, 2023, 5:17 p.m.	buffer: P8ht ää4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°DStringFileInfo 000004b0Comments"CompanyNameFileDescription0FileVersion1.0.0.0@InternalNameMqcxlmzbzwt.exe&LegalCopyrightLegalTrademarksHOriginalFilenameMqcxlmzbzwt.exe"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0# êï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x004a2000 process_identifier: 2508 process_handle: 0x00000234	1	1
WriteProcessMemory July 5, 2023, 5:17 p.m.	buffer: °; base_address: 0x004a4000 process_identifier: 2508 process_handle: 0x00000234	1	1
WriteProcessMemory July 5, 2023, 5:17 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2508 process_handle: 0x00000234	1	1
NtSetContextThread July 5, 2023, 5:17 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4205486 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000240 process_identifier: 2508	1	0
NtResumeThread July 5, 2023, 5:17 p.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 2508	1	0
NtResumeThread July 5, 2023, 5:17 p.m.	thread_handle: 0x0000017c suspend_count: 1 process_identifier: 2508	1	0
NtResumeThread July 5, 2023, 5:17 p.m.	thread_handle: 0x000001ec suspend_count: 1 process_identifier: 2508	1	0
NtResumeThread July 5, 2023, 5:17 p.m.	thread_handle: 0x000002b4 suspend_count: 1 process_identifier: 2508	1	0
NtResumeThread July 5, 2023, 5:17 p.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 2508	1	0

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Ser.MSILHeracles.2098
McAfee	Artemis!F5A0C42C6C22
Malwarebytes	Malware.AI.3767807911
VIPRE	Gen:Variant.Ser.MSILHeracles.2098
Sangfor	Trojan.Msil.Kryptik.Vldm
Alibaba	Trojan:MSIL/GenKryptik.930c9514
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Ser.MSILHeracles.D832
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/GenKryptik.GLKE
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan-Ransom.MSIL.Blocker.gen
BitDefender	Gen:Variant.Ser.MSILHeracles.2098
Avast	Win32:MalwareX-gen [Trj]
Tencent	Msil.Trojan-Ransom.Blocker.Hflw
Emsisoft	Gen:Variant.Ser.MSILHeracles.2098 (B)
F-Secure	Heuristic.HEUR/AGEN.1363500
McAfee-GW-Edition	Artemis!Trojan
FireEye	Gen:Variant.Ser.MSILHeracles.2098
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Avira	HEUR/AGEN.1363500
MAX	malware (ai score=84)
Antiy-AVL	Trojan/MSIL.GenKryptik
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	HEUR:Trojan-Ransom.MSIL.Blocker.gen
GData	Gen:Variant.Ser.MSILHeracles.2098
Google	Detected
BitDefenderTheta	Gen:NN.ZemsilF.36270.zp0@amAZdzb
ALYac	Gen:Variant.Ser.MSILHeracles.2098
Cylance	unsafe
TrendMicro-HouseCall	TROJ_GEN.R002H0CG323
Rising	Malware.Obfus/MSIL@AI.88 (RDM.MSIL2:b59B72REUl/hmT1UpV5j5w)
Ikarus	Trojan.MSIL.Inject
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Agent.OXE!tr.dldr
AVG	Win32:MalwareX-gen [Trj]
Cybereason	malicious.8ea1dd
DeepInstinct	MALICIOUS

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (10 events)

dead_host	192.168.56.103:49395
dead_host	192.168.56.103:49353
dead_host	192.168.56.103:49245
dead_host	192.168.56.103:49259
dead_host	192.168.56.103:49628
dead_host	207.180.198.201:80
dead_host	192.168.56.103:49400
dead_host	192.168.56.103:49654
dead_host	192.168.56.103:49328
dead_host	192.168.56.103:49573

Qjhihl.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All