Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 21, 2023, 12:58 p.m.	July 21, 2023, 1 p.m.

Size	2.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`f6637dd80c1bf55fdf7d31f1d857a155`
SHA256	`930ed2eef19f9a8fe45fc227cefc8d7369ef251c489b592d1f060f506d68bbba`
CRC32	`3A0DCF84`
ssdeep	`49152:Ayr13C8ZAInUxXaqHBkuluNH3iYGnFDB9KYl+NVoQ8ngkfWEGWDv3XPjVAjknL2Z:717ZAIwXaqHJluNH3iY+DL6NVX8ngkf6`
PDB Path	C:\BuildAgent\work\f528c7da27d4599a\Sources\FMStarter\bin\Release\FreemakeVideoConverter.pdb
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

adobe-explorer.exe "C:\Users\test22\AppData\Local\Temp\adobe-explorer.exe"
2552
- pipanel.exe "C:\Users\test22\AppData\Local\Temp\adobe-explorer.exe"
  2716

Name	Response	Post-Analysis Lookup
texasgrudgecompany.com	A 5.8.18.42	5.8.18.42

IP Address	Status	Action
164.124.101.2	Active	Moloch
5.8.18.42	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 21, 2023, 12:58 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 21, 2023, 12:58 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\BuildAgent\work\f528c7da27d4599a\Sources\FMStarter\bin\Release\FreemakeVideoConverter.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	imhkvfk
section	.deena
section	.brena

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 21, 2023, 12:58 p.m.	process_identifier: 2552 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00700000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 21, 2023, 12:58 p.m.	process_identifier: 2552 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02390000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 21, 2023, 12:58 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f2f000 process_handle: 0xffffffff	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (6 events)

Time & API	Arguments	Status	Return
Process32NextW July 21, 2023, 12:58 p.m.	snapshot_handle: 0x000000ec process_name: taskhost.exe process_identifier: 2368	1	1
Process32NextW July 21, 2023, 12:58 p.m.	snapshot_handle: 0x000000ec process_name: sdclt.exe process_identifier: 2376	1	1
Process32NextW July 21, 2023, 12:58 p.m.	snapshot_handle: 0x000000ec process_name: adobe-explorer.exe process_identifier: 2552	1	1
Process32NextW July 21, 2023, 12:58 p.m.	snapshot_handle: 0x000000f0 process_name: schtasks.exe process_identifier: 2604	1	1
Process32NextW July 21, 2023, 12:58 p.m.	snapshot_handle: 0x000002c4 process_name: dllhost.exe process_identifier: 2656	1	1
Process32NextW July 21, 2023, 12:58 p.m.	snapshot_handle: 0x000002c4 process_name: pipanel.exe process_identifier: 2716	1	1

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00035200', u'virtual_address': u'0x0022e000', u'entropy': 7.981965805382141, u'name': u'imhkvfk', u'virtual_size': u'0x000350b8'}

entropy

7.98196580538

description

A section with a high entropy has been found

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (20 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW July 21, 2023, 12:58 p.m.	snapshot_handle: 0x000000ec process_name: adobe-explorer.exe process_identifier: 2552		0	0
Process32NextW July 21, 2023, 12:58 p.m.	snapshot_handle: 0x000000f0 process_name: schtasks.exe process_identifier: 2604		0	0
Process32NextW July 21, 2023, 12:58 p.m.	snapshot_handle: 0x000000f4 process_name: conhost.exe process_identifier: 2612		0	0
Process32NextW July 21, 2023, 12:58 p.m.	snapshot_handle: 0x000000f8 process_name: conhost.exe process_identifier: 2612		0	0
Process32NextW July 21, 2023, 12:58 p.m.	snapshot_handle: 0x000000fc process_name: conhost.exe process_identifier: 2612		0	0
Process32NextW July 21, 2023, 12:58 p.m.	snapshot_handle: 0x00000100 process_name: conhost.exe process_identifier: 2612		0	0
Process32NextW July 21, 2023, 12:58 p.m.	snapshot_handle: 0x00000104 process_name: conhost.exe process_identifier: 2612		0	0
Process32NextW July 21, 2023, 12:58 p.m.	snapshot_handle: 0x00000108 process_name: conhost.exe process_identifier: 2612		0	0
Process32NextW July 21, 2023, 12:58 p.m.	snapshot_handle: 0x0000010c process_name: conhost.exe process_identifier: 2612		0	0
Process32NextW July 21, 2023, 12:58 p.m.	snapshot_handle: 0x00000110 process_name: adobe-explorer.exe process_identifier: 2552		0	0
Process32NextW July 21, 2023, 12:58 p.m.	snapshot_handle: 0x00000114 process_name: adobe-explorer.exe process_identifier: 2552		0	0
Process32NextW July 21, 2023, 12:58 p.m.	snapshot_handle: 0x00000118 process_name: adobe-explorer.exe process_identifier: 2552		0	0
Process32NextW July 21, 2023, 12:58 p.m.	snapshot_handle: 0x0000011c process_name: adobe-explorer.exe process_identifier: 2552		0	0
Process32NextW July 21, 2023, 12:58 p.m.	snapshot_handle: 0x00000120 process_name: adobe-explorer.exe process_identifier: 2552		0	0
Process32NextW July 21, 2023, 12:58 p.m.	snapshot_handle: 0x00000124 process_name: adobe-explorer.exe process_identifier: 2552		0	0
Process32NextW July 21, 2023, 12:58 p.m.	snapshot_handle: 0x00000128 process_name: adobe-explorer.exe process_identifier: 2552		0	0
Process32NextW July 21, 2023, 12:58 p.m.	snapshot_handle: 0x0000012c process_name: adobe-explorer.exe process_identifier: 2552		0	0
Process32NextW July 21, 2023, 12:58 p.m.	snapshot_handle: 0x00000130 process_name: adobe-explorer.exe process_identifier: 2552		0	0
Process32NextW July 21, 2023, 12:58 p.m.	snapshot_handle: 0x00000134 process_name: adobe-explorer.exe process_identifier: 2552		0	0
Process32NextW July 21, 2023, 12:58 p.m.	snapshot_handle: 0x00000138 process_name: adobe-explorer.exe process_identifier: 2552		0	0

Allocates execute permission to another process indicative of possible code injection (4 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 21, 2023, 12:58 p.m.	process_identifier: 2716 region_size: 180224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002bc	1
NtProtectVirtualMemory July 21, 2023, 12:58 p.m.	process_identifier: 2716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f2f000 process_handle: 0x000002bc	1
NtAllocateVirtualMemory July 21, 2023, 12:58 p.m.	process_identifier: 2716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002bc	1
NtAllocateVirtualMemory July 21, 2023, 12:58 p.m.	process_identifier: 2716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002bc	1

Potential code injection by writing to the memory of another process (8 events)

Time & API	Arguments	Status	Return
WriteProcessMemory July 21, 2023, 12:58 p.m.	buffer: ÈuUÐ:WPHw¸[Û _«z\ L´ÖK÷oÉømCçîB¼U¡âaÃ{þ\|Ð¬d thàhÈîÂ.textàP.rdataPà.rdata$voltmdhàt.rdata$zzzdbgðP.dataPüh.bss base_address: 0x0040e000 process_identifier: 2716 process_handle: 0x000002bc	1	1
WriteProcessMemory July 21, 2023, 12:58 p.m.	buffer: +öÏø]sLÌªÁ¹¢%óÝ`Févåt>úÔ¼YïÈ§½¥Ê\ÞúÝôÉ²×=OîÒñ-~¨¼ÞtÉ«Qõ^Ø=\·«_Õç£7ºÊ!{3ä¦NÒ /ùl¨.+'b´÷¸\©Á0 VÇ²Þ`°ç3½ô=óTxå¸÷9¼XÌþiK6 >9ë¨Ñè@'Æñ©äLå"=/T¡w^Ip«ZXv+â ôtm÷¡##MQ¦ïþsÉ,ÿÿÿÿSOFTWARE\Microsoft\Windows NT\CurrentVersionSoftware\Microsoft\Windows\CurrentVersion\RunOnceCSDVersionProductNamex86x64p \/[]-_:µä[Jú-EÝ]³Qçëô\|UÓsøó.ô\|UÓsøó.ô\|UÓsøó.ô\|UÓsøó.ô\|UÓsøó.ô\|UÓsøó.ô\|UÓsøó.ô\|UÓsøó.fFgÚwË©úÞV¯Ç[fúÆûÚo+ Û5v ø³óâ¦´IÝÎzKÅÝÞf)o@S"-ªt)gò(íÏ]Rz¤Ü±£ù¢ y\|¨]Øhâ²ÏÑá÷Að´!úÞB}-µ]HÍ·¾B\ÔôÄï út}-¿CH·?¾BÔÄ½Ûþ¨ &ï út¤Ü-ôýpf0HG2ÝÅ]¢~>;Â¿Á-¸I±úÞÅ¢x¯Mg&têEÔ²<T«Æú?Þ,Î ¢¹¬[vøu9>!g2DyNÓ¬ÏÞegls0+Îöëò ZµÍY0v"}^lÂ#ß>5sÚUö+Ê¢VJ5°ïF+ÌSãÁÊZ/QÒb2r³WZÞ\öÝôîÜ\|èìÌ&ØÓ¶Ç¼p- °r¾,~J$O©é'ÆU& "1zÈ\î²Þ\#îçÚÃývðVÕ¤eµ×ìe«\|pþ!qw2\|ëTÄ;ª7^-g8FUÑ(ÇKÄ¸kÍKS0Ù8«õH ûä²\|ìÝþ«ñdµÀ}â©ÙWx¶¨xRÃÖP®áb'·dÜ×®É)\QC1ïä_i5Nß;p¨Ún[ª)uNj¼«HmâTkÀx¡7ä.ë<;³Ø8ýyðÜÎf>kA H°:[Sæ·ù üÞÊ[¨íú<].ZòÞ\|]Ôñ±\|?ï(\|Zgï£áÍDö4ïaÄ¤/nõh©P³ü±GGVäú>ôÞàG)?ðºö^öpÉDÇy'ðÈOTäÖ²Ì~¦S«ÂéñMtÈi¿ùna0ì4¯m®ªXz$^¾òp$UØ SZÒûL¬Ñ¢A¯AÜø,»ÑÍÝÔö¯ÓDÃZ·P ~ýËK ô¶Kî¢9Ðµ[#j%på4ÊÆë(îûÞ¼ñk¿óIJ¨P¥=ûÚmË«d"ùé´÷ «â²Q,ñ©·@Üíë.}nÆê×_RoÏþ:0f&(øk/ÿZÇÓ·QEPÉo}Èú»Ã®ÞÊ"()Set On Error Resume Next = CreateObjectScripting.FileSystemObjectwhile .FileExists.DeleteFile wend.DeleteFolder .DeleteFile(Wscript.ScriptFullName)Â #8¸RO[ÌOË¥´´è*ÞlºRmò?®+Dû¨\|ëU¼Zip.dll.exe\ [Ctrl + [Ctrl] [Alt + [Alt]() Clipboard Start[Clipboard End]image/jpegUN.vbs.zipMessage base_address: 0x0040f000 process_identifier: 2716 process_handle: 0x000002bc	1	1
WriteProcessMemory July 21, 2023, 12:58 p.m.	buffer: base_address: 0x0042a000 process_identifier: 2716 process_handle: 0x000002bc	1	1
WriteProcessMemory July 21, 2023, 12:58 p.m.	buffer: `7I7ì799£9ª9×9ü95:F:o::Â:Ò:3;D;\|;;<&<=4=D=q=«=Æ=Ô=õ= >>!>/>;>D>L>U>g>r>×>ÿ>Á?Ë?00º0N1_1u11©1ö12,2=2V2f22¬2Ë23(3O3`333½3Ì3û3L44¥4Ø5ä5Ç6ì6+7;77´7º7Æ7Ú7à7868C8q8~8Á8ì8 99%9l9J;Y;;;;¡;Ñ;3<_<Ó<ã<=Ä=Ï=X>>>_?g?p?@lL12,2^2n2é2ø2F3\|3¬3ä3ü3H4W4k4Ø4F5¡5±5.6`6f6«697Z788!888=8Q8V8~888¢8¹8ç8í8.9ý9:@:P:ô<¶=>z>Õ>Pô¥0131S1111¶1½1Ã1é1ð1ö1 2282c2}22£2´2Ó2í2ó2ü23$3)383á3í3ü344z4¬4Ã4ç45%5A5K5m5w56&6,66À6b7w78Â8Í8c9}99¢9º9Ã9Ô9ë9õ9þ9:: :A:L:`:i:©:Ú:à:õ:-;B;Q;Y;h;r;;;±;·;Ã;Î;æ;ü;<<Q<i<t<<´<¿<ì<==a==²=Å=Û=Û>??;?`?v??²?Æ?Ë?à?ü?`000)0U0b0h00¿0Û0à01#1/1;1A1O1X1^1p1U2f22µ2Ó2ù2 333³3á34C4Z4b4s444§4¯4»4Å4Ö4å4K5V56R6Y6b6l6\|666Â6à6÷67+7H7b777 7Æ7;8c8949a9t9®9Î9Ô9`:g:p:z:::::®:}<<=¡=¹=Æ=Ð=Ú=å=ê=ï=û=>>>>)>.>3>_>j>z>> ?? ?'?G?N?U?[?g?z????§?Ä?Ð?Þ?ä?p<000'0.050A0H0R001u22ö23 373B3g3444;4Q4S7Z7q7v777¥7¯7¼7Ì7Ö7ã7ð7ú788I8Þ8ê8ñ8ü8 999"9,929=9F9R9]9c9t9~99999§9¼96:>:D:b:h:s:::::°:¸:Ç:Í:Ø:ä:÷:ý:;;";1;7;C;I;T;`;x;;¥;¹;Í;Õ;é;ý;<<'<3<:<E<R<]<e<j<t<y<<<<¤<ª<»<Å<Ë<Õ<Û<ì<ò<ý<==(=.=:=@=K=W=j====µ=Ñ=ò=ø=>>+>]>å>?%?+?e??¥?Â?÷?l 0D0T0´0Ø0ö0Q1c1u11£1¿1Ê1Ý1ì1ü12 2+212\2d222Á2g3m3v33©3 44¶4õ455,5<5H5b5«5ô57©7^8g8w8â8í8ø8þ8999)9/999?9I9O9Y9_9i9o9z999®9À9Õ9Þ9æ9î9::G:p:y::::±:¾:Ê:Ò:Ý:å:ð:ö:ü:; ;;;/;5;;;E;S;_;k;x;;;;;©;¹;¿;É;Ï;×;Ü;ç;ï;<<<<$<<6<B<n<x<<<<¤<´<Ê<Ý<ï<õ<=!=z==Ü=<>Y>f>>>±>¸>Â>Ï>à>ç>ñ>þ> ???&?+?7?>?J?Q?]?d?n?????¦??¿?Ê?Ï?à?ë?ñ?þ?¬000+020<0A0M0T0`0g0s0z00000¤0«0·0¾0É0Î0 161=1G1T1o1v111¨1¯1¹1Æ1á1è1ò1ÿ122(252M2T2^2k2s2222«2²2¾2Å2Ñ2Ø2â2ç2÷2ü23333$3)33383Z3a3m3t33336445 55"5)555<5H5O5[5b5n5u55555§5®5º5Á5Ì5Ø5«6µ6é6î6ô6ú6 7U7_7e7t7À7Ñ7Ö7Ü7â7÷78 888-878@8E8P8V8j8s8µ8¿8È8Í8Ø8Þ8ï8ÿ8999999G9k9z999£99¶9»9Æ9Ì9Ý9í9ô9:::':1:::?:J:P:]:v::::::°:À:Ç:Ö:Û:ë:ú:; ;;;#;0;\;h;r;};;;§;;¶;Â;Ì;Õ;á;ë;ô;<©< =d=Í=Û>þ>? é23 33&3G3N3X3k3333°3Ñ3Ø3â3õ344'4:4X4_4i4\|444£4³4Å4Ì4Ø4ß4é4î4þ45 555!5L5S5_5f55¼5ý566"6)6S6$7²7Ð7î788õ893:Ò:q;<°Ä¦3°3¼3Ç3Î3Ø3é3ð3O4Y444 4ª4´4¾4È4Î4Ô4Ú4à4æ4í4ô4þ45555,535H5f55§55¾5Ù5î5ö5666-676y6Ç6è6ú67¦7¶7î7þ7/8N88°8À8æ8ö8999e9o99à9:B:ö:ü:;;%;¡;Ò;Ú;ê;<!<,<8<><P?d?}?????»?á?æ?À<0,0M0r00À0Ê044ç4ö45A5P5_5e5¢5²5¸5b6w6}66¨6ò67 01N1U11º162;;¼;ã; x9Ì9ì95fØ21q©¤1zÞ(>aþR(~úSOg¡ÔpÓì!YìÐuÄé?³Õàë¿RÈqÒ×S¡\q üvóY~85ªhKoH\|©$3¸5éUG÷jËYªÂYr`©ç8Ùií\|,Ï¦0á9¨3%j²§µ#y_Í¿>$# ê¯VîÖÉÄâüy.PÖÊ!¯tBfKJç¥eÓ¨-î¾ÛÊ½¯îp«Õ» base_address: 0x0042b000 process_identifier: 2716 process_handle: 0x000002bc	1	1
WriteProcessMemory July 21, 2023, 12:58 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2716 process_handle: 0x000002bc	1	1
WriteProcessMemory July 21, 2023, 12:58 p.m.	buffer: C:\Users\test22\AppData\Roaming\exgssi.exe base_address: 0x000f0000 process_identifier: 2716 process_handle: 0x000002bc	1	1
WriteProcessMemory July 21, 2023, 12:58 p.m.	buffer: base_address: 0x77010234 process_identifier: 2716 process_handle: 0x000002bc	1	1
WriteProcessMemory July 21, 2023, 12:58 p.m.	buffer: base_address: 0x77010230 process_identifier: 2716 process_handle: 0x000002bc	1	1

File has been identified by 14 AntiVirus engines on VirusTotal as malicious (14 events)

MicroWorld-eScan	Trojan.GenericKD.68273325
BitDefender	Trojan.GenericKD.68273325
Avast	Win32:Malware-gen
Emsisoft	Trojan.GenericKD.68273325 (B)
McAfee-GW-Edition	Artemis
FireEye	Trojan.GenericKD.68273325
GData	Win32.Backdoor.Parallax.W3L1QB
Gridinsoft	Trojan.Win32.Gen.bot
Microsoft	Trojan:Win32/Sonbokli.A!cl
McAfee	Artemis!F6637DD80C1B
MAX	malware (ai score=86)
TrendMicro-HouseCall	TROJ_GEN.F0D1C00GK23
Fortinet	Malicious_Behavior.SB
AVG	Win32:Malware-gen

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Roaming\exgssi.exe:Zone.Identifier

Executed a process and injected code into it, probably while unpacking (16 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW July 21, 2023, 12:58 p.m.	thread_identifier: 2720 thread_handle: 0x000002b8 process_identifier: 2716 current_directory: filepath: C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\adobe-explorer.exe" filepath_r: C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 1 process_handle: 0x000002bc	1	1
NtGetContextThread July 21, 2023, 12:58 p.m.	thread_handle: 0x000002b8	1	0
NtAllocateVirtualMemory July 21, 2023, 12:58 p.m.	process_identifier: 2716 region_size: 180224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002bc	1	0
WriteProcessMemory July 21, 2023, 12:58 p.m.	buffer: base_address: 0x00401000 process_identifier: 2716 process_handle: 0x000002bc	1	1
WriteProcessMemory July 21, 2023, 12:58 p.m.	buffer: ÈuUÐ:WPHw¸[Û _«z\ L´ÖK÷oÉømCçîB¼U¡âaÃ{þ\|Ð¬d thàhÈîÂ.textàP.rdataPà.rdata$voltmdhàt.rdata$zzzdbgðP.dataPüh.bss base_address: 0x0040e000 process_identifier: 2716 process_handle: 0x000002bc	1	1
WriteProcessMemory July 21, 2023, 12:58 p.m.	buffer: +öÏø]sLÌªÁ¹¢%óÝ`Févåt>úÔ¼YïÈ§½¥Ê\ÞúÝôÉ²×=OîÒñ-~¨¼ÞtÉ«Qõ^Ø=\·«_Õç£7ºÊ!{3ä¦NÒ /ùl¨.+'b´÷¸\©Á0 VÇ²Þ`°ç3½ô=óTxå¸÷9¼XÌþiK6 >9ë¨Ñè@'Æñ©äLå"=/T¡w^Ip«ZXv+â ôtm÷¡##MQ¦ïþsÉ,ÿÿÿÿSOFTWARE\Microsoft\Windows NT\CurrentVersionSoftware\Microsoft\Windows\CurrentVersion\RunOnceCSDVersionProductNamex86x64p \/[]-_:µä[Jú-EÝ]³Qçëô\|UÓsøó.ô\|UÓsøó.ô\|UÓsøó.ô\|UÓsøó.ô\|UÓsøó.ô\|UÓsøó.ô\|UÓsøó.ô\|UÓsøó.fFgÚwË©úÞV¯Ç[fúÆûÚo+ Û5v ø³óâ¦´IÝÎzKÅÝÞf)o@S"-ªt)gò(íÏ]Rz¤Ü±£ù¢ y\|¨]Øhâ²ÏÑá÷Að´!úÞB}-µ]HÍ·¾B\ÔôÄï út}-¿CH·?¾BÔÄ½Ûþ¨ &ï út¤Ü-ôýpf0HG2ÝÅ]¢~>;Â¿Á-¸I±úÞÅ¢x¯Mg&têEÔ²<T«Æú?Þ,Î ¢¹¬[vøu9>!g2DyNÓ¬ÏÞegls0+Îöëò ZµÍY0v"}^lÂ#ß>5sÚUö+Ê¢VJ5°ïF+ÌSãÁÊZ/QÒb2r³WZÞ\öÝôîÜ\|èìÌ&ØÓ¶Ç¼p- °r¾,~J$O©é'ÆU& "1zÈ\î²Þ\#îçÚÃývðVÕ¤eµ×ìe«\|pþ!qw2\|ëTÄ;ª7^-g8FUÑ(ÇKÄ¸kÍKS0Ù8«õH ûä²\|ìÝþ«ñdµÀ}â©ÙWx¶¨xRÃÖP®áb'·dÜ×®É)\QC1ïä_i5Nß;p¨Ún[ª)uNj¼«HmâTkÀx¡7ä.ë<;³Ø8ýyðÜÎf>kA H°:[Sæ·ù üÞÊ[¨íú<].ZòÞ\|]Ôñ±\|?ï(\|Zgï£áÍDö4ïaÄ¤/nõh©P³ü±GGVäú>ôÞàG)?ðºö^öpÉDÇy'ðÈOTäÖ²Ì~¦S«ÂéñMtÈi¿ùna0ì4¯m®ªXz$^¾òp$UØ SZÒûL¬Ñ¢A¯AÜø,»ÑÍÝÔö¯ÓDÃZ·P ~ýËK ô¶Kî¢9Ðµ[#j%på4ÊÆë(îûÞ¼ñk¿óIJ¨P¥=ûÚmË«d"ùé´÷ «â²Q,ñ©·@Üíë.}nÆê×_RoÏþ:0f&(øk/ÿZÇÓ·QEPÉo}Èú»Ã®ÞÊ"()Set On Error Resume Next = CreateObjectScripting.FileSystemObjectwhile .FileExists.DeleteFile wend.DeleteFolder .DeleteFile(Wscript.ScriptFullName)Â #8¸RO[ÌOË¥´´è*ÞlºRmò?®+Dû¨\|ëU¼Zip.dll.exe\ [Ctrl + [Ctrl] [Alt + [Alt]() Clipboard Start[Clipboard End]image/jpegUN.vbs.zipMessage base_address: 0x0040f000 process_identifier: 2716 process_handle: 0x000002bc	1	1
WriteProcessMemory July 21, 2023, 12:58 p.m.	buffer: base_address: 0x00417000 process_identifier: 2716 process_handle: 0x000002bc		0
WriteProcessMemory July 21, 2023, 12:58 p.m.	buffer: base_address: 0x00418000 process_identifier: 2716 process_handle: 0x000002bc	1	1
WriteProcessMemory July 21, 2023, 12:58 p.m.	buffer: base_address: 0x0042a000 process_identifier: 2716 process_handle: 0x000002bc	1	1
WriteProcessMemory July 21, 2023, 12:58 p.m.	buffer: `7I7ì799£9ª9×9ü95:F:o::Â:Ò:3;D;\|;;<&<=4=D=q=«=Æ=Ô=õ= >>!>/>;>D>L>U>g>r>×>ÿ>Á?Ë?00º0N1_1u11©1ö12,2=2V2f22¬2Ë23(3O3`333½3Ì3û3L44¥4Ø5ä5Ç6ì6+7;77´7º7Æ7Ú7à7868C8q8~8Á8ì8 99%9l9J;Y;;;;¡;Ñ;3<_<Ó<ã<=Ä=Ï=X>>>_?g?p?@lL12,2^2n2é2ø2F3\|3¬3ä3ü3H4W4k4Ø4F5¡5±5.6`6f6«697Z788!888=8Q8V8~888¢8¹8ç8í8.9ý9:@:P:ô<¶=>z>Õ>Pô¥0131S1111¶1½1Ã1é1ð1ö1 2282c2}22£2´2Ó2í2ó2ü23$3)383á3í3ü344z4¬4Ã4ç45%5A5K5m5w56&6,66À6b7w78Â8Í8c9}99¢9º9Ã9Ô9ë9õ9þ9:: :A:L:`:i:©:Ú:à:õ:-;B;Q;Y;h;r;;;±;·;Ã;Î;æ;ü;<<Q<i<t<<´<¿<ì<==a==²=Å=Û=Û>??;?`?v??²?Æ?Ë?à?ü?`000)0U0b0h00¿0Û0à01#1/1;1A1O1X1^1p1U2f22µ2Ó2ù2 333³3á34C4Z4b4s444§4¯4»4Å4Ö4å4K5V56R6Y6b6l6\|666Â6à6÷67+7H7b777 7Æ7;8c8949a9t9®9Î9Ô9`:g:p:z:::::®:}<<=¡=¹=Æ=Ð=Ú=å=ê=ï=û=>>>>)>.>3>_>j>z>> ?? ?'?G?N?U?[?g?z????§?Ä?Ð?Þ?ä?p<000'0.050A0H0R001u22ö23 373B3g3444;4Q4S7Z7q7v777¥7¯7¼7Ì7Ö7ã7ð7ú788I8Þ8ê8ñ8ü8 999"9,929=9F9R9]9c9t9~99999§9¼96:>:D:b:h:s:::::°:¸:Ç:Í:Ø:ä:÷:ý:;;";1;7;C;I;T;`;x;;¥;¹;Í;Õ;é;ý;<<'<3<:<E<R<]<e<j<t<y<<<<¤<ª<»<Å<Ë<Õ<Û<ì<ò<ý<==(=.=:=@=K=W=j====µ=Ñ=ò=ø=>>+>]>å>?%?+?e??¥?Â?÷?l 0D0T0´0Ø0ö0Q1c1u11£1¿1Ê1Ý1ì1ü12 2+212\2d222Á2g3m3v33©3 44¶4õ455,5<5H5b5«5ô57©7^8g8w8â8í8ø8þ8999)9/999?9I9O9Y9_9i9o9z999®9À9Õ9Þ9æ9î9::G:p:y::::±:¾:Ê:Ò:Ý:å:ð:ö:ü:; ;;;/;5;;;E;S;_;k;x;;;;;©;¹;¿;É;Ï;×;Ü;ç;ï;<<<<$<<6<B<n<x<<<<¤<´<Ê<Ý<ï<õ<=!=z==Ü=<>Y>f>>>±>¸>Â>Ï>à>ç>ñ>þ> ???&?+?7?>?J?Q?]?d?n?????¦??¿?Ê?Ï?à?ë?ñ?þ?¬000+020<0A0M0T0`0g0s0z00000¤0«0·0¾0É0Î0 161=1G1T1o1v111¨1¯1¹1Æ1á1è1ò1ÿ122(252M2T2^2k2s2222«2²2¾2Å2Ñ2Ø2â2ç2÷2ü23333$3)33383Z3a3m3t33336445 55"5)555<5H5O5[5b5n5u55555§5®5º5Á5Ì5Ø5«6µ6é6î6ô6ú6 7U7_7e7t7À7Ñ7Ö7Ü7â7÷78 888-878@8E8P8V8j8s8µ8¿8È8Í8Ø8Þ8ï8ÿ8999999G9k9z999£99¶9»9Æ9Ì9Ý9í9ô9:::':1:::?:J:P:]:v::::::°:À:Ç:Ö:Û:ë:ú:; ;;;#;0;\;h;r;};;;§;;¶;Â;Ì;Õ;á;ë;ô;<©< =d=Í=Û>þ>? é23 33&3G3N3X3k3333°3Ñ3Ø3â3õ344'4:4X4_4i4\|444£4³4Å4Ì4Ø4ß4é4î4þ45 555!5L5S5_5f55¼5ý566"6)6S6$7²7Ð7î788õ893:Ò:q;<°Ä¦3°3¼3Ç3Î3Ø3é3ð3O4Y444 4ª4´4¾4È4Î4Ô4Ú4à4æ4í4ô4þ45555,535H5f55§55¾5Ù5î5ö5666-676y6Ç6è6ú67¦7¶7î7þ7/8N88°8À8æ8ö8999e9o99à9:B:ö:ü:;;%;¡;Ò;Ú;ê;<!<,<8<><P?d?}?????»?á?æ?À<0,0M0r00À0Ê044ç4ö45A5P5_5e5¢5²5¸5b6w6}66¨6ò67 01N1U11º162;;¼;ã; x9Ì9ì95fØ21q©¤1zÞ(>aþR(~úSOg¡ÔpÓì!YìÐuÄé?³Õàë¿RÈqÒ×S¡\q üvóY~85ªhKoH\|©$3¸5éUG÷jËYªÂYr`©ç8Ùií\|,Ï¦0á9¨3%j²§µ#y_Í¿>$# ê¯VîÖÉÄâüy.PÖÊ!¯tBfKJç¥eÓ¨-î¾ÛÊ½¯îp«Õ» base_address: 0x0042b000 process_identifier: 2716 process_handle: 0x000002bc	1	1
WriteProcessMemory July 21, 2023, 12:58 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2716 process_handle: 0x000002bc	1	1
NtAllocateVirtualMemory July 21, 2023, 12:58 p.m.	process_identifier: 2716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002bc	1	0
NtAllocateVirtualMemory July 21, 2023, 12:58 p.m.	process_identifier: 2716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002bc	1	0
WriteProcessMemory July 21, 2023, 12:58 p.m.	buffer: C:\Users\test22\AppData\Roaming\exgssi.exe base_address: 0x000f0000 process_identifier: 2716 process_handle: 0x000002bc	1	1
WriteProcessMemory July 21, 2023, 12:58 p.m.	buffer: base_address: 0x77010234 process_identifier: 2716 process_handle: 0x000002bc	1	1
WriteProcessMemory July 21, 2023, 12:58 p.m.	buffer: base_address: 0x77010230 process_identifier: 2716 process_handle: 0x000002bc	1	1

adobe-explorer.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All