Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 12, 2023, 7:29 a.m.	July 12, 2023, 7:33 a.m.

Size	592.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`23d9fbc39ec74f969e07953b833a1679`
SHA256	`d04081ee309c26a8a8b6d3d4aecc8385178de242a28832cff55083008c29ce69`
CRC32	`657EE780`
ssdeep	`12288:vkEz9gZue7DyL9ehe8L0+o0lnMfi23yORKQPebtqIQ:PisEeL9ae8gpqcwORKGIQ`
PDB Path	wUNI.pdb
Yara	Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description)

mpomzx.exe "C:\Users\test22\AppData\Local\Temp\mpomzx.exe"
2660
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\mpomzx.exe"
  3068
- mpomzx.exe "C:\Users\test22\AppData\Local\Temp\mpomzx.exe"
  908

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (11 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 12, 2023, 7:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 12, 2023, 7:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 12, 2023, 7:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 12, 2023, 7:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 12, 2023, 7:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 12, 2023, 7:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 12, 2023, 7:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 12, 2023, 7:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 12, 2023, 7:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 12, 2023, 7:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 12, 2023, 7:31 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 12, 2023, 7:29 a.m.			0	0
IsDebuggerPresent July 12, 2023, 7:29 a.m.			0	0
IsDebuggerPresent July 12, 2023, 7:31 a.m.			0	0
IsDebuggerPresent July 12, 2023, 7:31 a.m.			0	0
IsDebuggerPresent July 12, 2023, 7:31 a.m.			0	0

Command line console output was observed (9 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 12, 2023, 7:31 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW July 12, 2023, 7:31 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW July 12, 2023, 7:31 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW July 12, 2023, 7:31 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW July 12, 2023, 7:31 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Local\Temp\mpom console_handle: 0x00000053	1	1
WriteConsoleW July 12, 2023, 7:31 a.m.	buffer: zx.exe console_handle: 0x0000005f	1	1
WriteConsoleW July 12, 2023, 7:31 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW July 12, 2023, 7:31 a.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW July 12, 2023, 7:31 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1

Uses Windows APIs to generate a cryptographic key (49 events)

Time & API	Arguments	Status	Return
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e49e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e49e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e49e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4be0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4be0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4be0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4be0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4be0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4be0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4420 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4420 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4420 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e49e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e49e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e49e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e49e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e49e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e49e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e49e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e49e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e49e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e49e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002cb878 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002cb878 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2023, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002cb5f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

wUNI.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 12, 2023, 7:29 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 12, 2023, 7:31 a.m.	stacktrace: 0xa508e4 0xa50821 0xa506d9 0xa50074 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x721f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7220264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72202e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x722b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72341dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72341e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72341f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7234416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7361f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc ff 15 1c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa53bcd registers.esp: 1504200 registers.edi: 1504224 registers.eax: 0 registers.ebp: 1504236 registers.edx: 195 registers.ebx: 41991636 registers.esi: 42020204 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

July 12, 2023, 7:31 a.m.

stacktrace:

0xa508e4
0xa50821
0xa506d9
0xa50074
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x721f2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7220264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72202e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722b74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x722b7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72341dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72341e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72341f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7234416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7361f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc ff 15 1c
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xa53bcd
registers.esp: 1504200
registers.edi: 1504224
registers.eax: 0
registers.ebp: 1504236
registers.edx: 195
registers.ebx: 41991636
registers.esi: 42020204
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 214 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 12, 2023, 7:29 a.m.	process_identifier: 2660 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:29 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00590000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2023, 7:29 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2023, 7:29 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:29 a.m.	process_identifier: 2660 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:29 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:29 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:29 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:29 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:29 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:29 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:29 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:29 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:29 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:29 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:29 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:29 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00417000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:29 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00416000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:29 a.m.	process_identifier: 2660 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00641000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2023, 7:29 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e6b2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:29 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00643000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:30 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0525f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:30 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05250000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:30 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00644000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:30 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:30 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00645000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:30 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00646000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:30 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:30 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00647000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:30 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00648000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:31 a.m.	process_identifier: 3068 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:31 a.m.	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2023, 7:31 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:31 a.m.	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 12, 2023, 7:31 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:31 a.m.	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:31 a.m.	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:31 a.m.	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:31 a.m.	process_identifier: 3068 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:31 a.m.	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:31 a.m.	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:31 a.m.	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:31 a.m.	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:31 a.m.	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:31 a.m.	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:31 a.m.	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:31 a.m.	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:31 a.m.	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:31 a.m.	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2023, 7:31 a.m.	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\mpomzx.exe"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\mpomzx.exe"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 12, 2023, 7:30 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\mpomzx.exe" filepath: powershell	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00093000', u'virtual_address': u'0x00002000', u'entropy': 7.768070910017005, u'name': u'.text', u'virtual_size': u'0x00092fa0'}

entropy

7.76807091002

description

A section with a high entropy has been found

entropy

0.994082840237

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 12, 2023, 7:31 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW July 12, 2023, 7:31 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (13 events)

description	Win Trojan AgentTesla	rule	Win_Trojan_AgentTesla_M_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications smtp	rule	Network_SMTP_dotNet
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Run a KeyLogger	rule	KeyLogger

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 12, 2023, 7:30 a.m.	process_identifier: 908 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003b0	1	0	0

A process attempted to delay the analysis task. (1 event)

description

mpomzx.exe tried to sleep 2728503 seconds, actually delayed analysis time by 2728503 seconds

Harvests credentials from local FTP client softwares (5 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect
file	C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
registry	HKEY_CURRENT_USER\SOFTWARE\FTPWare\COREFTP\Sites

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory July 12, 2023, 7:30 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¸@¦dà0þ¦ @ @°¦KÀFà H.text `.rsrcFÀ@@.relocà@B base_address: 0x00400000 process_identifier: 908 process_handle: 0x000003b0	1	1
WriteProcessMemory July 12, 2023, 7:30 a.m.	buffer: P8h À¼\Ãê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion1.0.0.0t)InternalNamebf32f5a7-2e98-40de-b5f5-c03fb1f0afa4.exe(LegalCopyright \|)OriginalFilenamebf32f5a7-2e98-40de-b5f5-c03fb1f0afa4.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042c000 process_identifier: 908 process_handle: 0x000003b0	1	1
WriteProcessMemory July 12, 2023, 7:30 a.m.	buffer: 7 base_address: 0x0042e000 process_identifier: 908 process_handle: 0x000003b0	1	1
WriteProcessMemory July 12, 2023, 7:30 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 908 process_handle: 0x000003b0	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 12, 2023, 7:30 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¸@¦dà0þ¦ @ @°¦KÀFà H.text `.rsrcFÀ@@.relocà@B base_address: 0x00400000 process_identifier: 908 process_handle: 0x000003b0	1	1	0

Harvests credentials from local email clients (6 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2660 called NtSetContextThread to modify thread in remote process 908
NtSetContextThread July 12, 2023, 7:30 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4368126 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002ac process_identifier: 908	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2660 resumed a thread in remote process 908
NtResumeThread July 12, 2023, 7:30 a.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 908	1	0	0

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Executed a process and injected code into it, probably while unpacking (26 events)

Time & API	Arguments	Status	Return
NtResumeThread July 12, 2023, 7:29 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2660	1	0
NtResumeThread July 12, 2023, 7:29 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2660	1	0
NtResumeThread July 12, 2023, 7:29 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2660	1	0
NtResumeThread July 12, 2023, 7:30 a.m.	thread_handle: 0x00000214 suspend_count: 1 process_identifier: 2660	1	0
CreateProcessInternalW July 12, 2023, 7:30 a.m.	thread_identifier: 2052 thread_handle: 0x000003d4 process_identifier: 3068 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\mpomzx.exe" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003dc	1	1
CreateProcessInternalW July 12, 2023, 7:30 a.m.	thread_identifier: 2072 thread_handle: 0x000002ac process_identifier: 908 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\mpomzx.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\mpomzx.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003b0	1	1
NtGetContextThread July 12, 2023, 7:30 a.m.	thread_handle: 0x000002ac	1	0
NtAllocateVirtualMemory July 12, 2023, 7:30 a.m.	process_identifier: 908 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003b0	1	0
WriteProcessMemory July 12, 2023, 7:30 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¸@¦dà0þ¦ @ @°¦KÀFà H.text `.rsrcFÀ@@.relocà@B base_address: 0x00400000 process_identifier: 908 process_handle: 0x000003b0	1	1
WriteProcessMemory July 12, 2023, 7:30 a.m.	buffer: base_address: 0x00402000 process_identifier: 908 process_handle: 0x000003b0	1	1
WriteProcessMemory July 12, 2023, 7:30 a.m.	buffer: P8h À¼\Ãê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion1.0.0.0t)InternalNamebf32f5a7-2e98-40de-b5f5-c03fb1f0afa4.exe(LegalCopyright \|)OriginalFilenamebf32f5a7-2e98-40de-b5f5-c03fb1f0afa4.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042c000 process_identifier: 908 process_handle: 0x000003b0	1	1
WriteProcessMemory July 12, 2023, 7:30 a.m.	buffer: 7 base_address: 0x0042e000 process_identifier: 908 process_handle: 0x000003b0	1	1
WriteProcessMemory July 12, 2023, 7:30 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 908 process_handle: 0x000003b0	1	1
NtSetContextThread July 12, 2023, 7:30 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4368126 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002ac process_identifier: 908	1	0
NtResumeThread July 12, 2023, 7:30 a.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 908	1	0
NtResumeThread July 12, 2023, 7:31 a.m.	thread_handle: 0x00000298 suspend_count: 1 process_identifier: 3068	1	0
NtResumeThread July 12, 2023, 7:31 a.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 3068	1	0
NtResumeThread July 12, 2023, 7:31 a.m.	thread_handle: 0x00000448 suspend_count: 1 process_identifier: 3068	1	0
NtResumeThread July 12, 2023, 7:31 a.m.	thread_handle: 0x000004a8 suspend_count: 1 process_identifier: 3068	1	0
NtResumeThread July 12, 2023, 7:31 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 908	1	0
NtResumeThread July 12, 2023, 7:31 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 908	1	0
NtResumeThread July 12, 2023, 7:31 a.m.	thread_handle: 0x000001e0 suspend_count: 1 process_identifier: 908	1	0
NtResumeThread July 12, 2023, 7:31 a.m.	thread_handle: 0x0000027c suspend_count: 1 process_identifier: 908	1	0
NtResumeThread July 12, 2023, 7:31 a.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 908	1	0
NtResumeThread July 12, 2023, 7:31 a.m.	thread_handle: 0x0000035c suspend_count: 1 process_identifier: 908	1	0
NtResumeThread July 12, 2023, 7:31 a.m.	thread_handle: 0x00000394 suspend_count: 1 process_identifier: 908	1	0

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Lionic	Trojan.Win32.SnakeLogger.4!c
DrWeb	Trojan.PackedNET.1995
MicroWorld-eScan	Trojan.GenericKD.68093639
McAfee	Artemis!23D9FBC39EC7
Malwarebytes	Malware.AI.4003356726
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 005a86751 )
Alibaba	Trojan:MSIL/GenKryptik.ea58e166
K7GW	Trojan ( 005a86751 )
Cybereason	malicious.154bd9
Arcabit	Trojan.Generic.D40F06C7
Cyren	W32/MSIL_Kryptik.BYC.gen!Eldorado
Symantec	Scr.Malcode!gdn34
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Kryptik.AJEQ
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	HEUR:Trojan-Spy.MSIL.SnakeLogger.gen
BitDefender	Trojan.GenericKD.68093639
Avast	Win32:PWSX-gen [Trj]
Tencent	Malware.Win32.Gencirc.13e955e9
Emsisoft	Trojan.GenericKD.68093639 (B)
F-Secure	Trojan.TR/Kryptik.gwsrq
VIPRE	Trojan.GenericKD.68093639
TrendMicro	TrojanSpy.Win32.NEGASTEAL.YXDGJZ
McAfee-GW-Edition	BehavesLike.Win32.Generic.hc
Trapmine	suspicious.low.ml.score
FireEye	Generic.mg.23d9fbc39ec74f96
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Webroot	W32.Trojan.Gen
Avira	TR/Kryptik.gwsrq
MAX	malware (ai score=80)
Antiy-AVL	Trojan/MSIL.Kryptik
Microsoft	Trojan:Win32/Leonem
ZoneAlarm	HEUR:Trojan-Spy.MSIL.SnakeLogger.gen
GData	Win32.Trojan-Stealer.CredStealer.OCAFKH
Google	Detected
Acronis	suspicious
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TrojanSpy.Win32.NEGASTEAL.YXDGJZ
Rising	Malware.Obfus/MSIL@AI.98 (RDM.MSIL2:zAFMGczApbM30Y4iLEoF4g)
Yandex	Trojan.Igent.b0sTmp.24
Ikarus	Trojan.MSIL.Inject
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.ATU!tr
AVG	Win32:PWSX-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

mpomzx.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All