Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 8, 2023, 6:37 p.m.	Aug. 8, 2023, 6:45 p.m.

Size	1.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`0ccc74c374d8c7ce89bce94b6134090d`
SHA256	`15ba40e3632a36e5e1c74c558e7bc4d986b3e973d79d5a42c5e55468dd848a2c`
CRC32	`ADEF6FC0`
ssdeep	`24576:SNA3R5drXP8jCWgBFgZhxSFJhEBNf0O/JCcW95:r5qiBFqhxSgf0O/JC/`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara	UPX_Zero - UPX packed file Win32_WinRAR_SFX_Zero - Win32 WinRAR SFX OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

isuhgb.exe "C:\Users\test22\AppData\Local\Temp\isuhgb.exe"
2560
- cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\coyifg.cmd" "
  2756
  - jinjgrder.sfx.exe jinjgrder.sfx.exe -pthngkiyhasswxgythagtnoiuthnjmdkolqhjyoNomeyjmjhgtprbnhotafugBbsddfdtuxTnYn -dC:\Users\test22\AppData\Local\Temp
    2832
    - jinjgrder.exe "C:\Users\test22\AppData\Local\Temp\jinjgrder.exe"
      3068
      - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\yeoma.bat" "
        2224
        
        adgfdgbf.sfx.exe adgfdgbf.sfx.exe -peythnfkoligscvmhjfjgBbsdirhndmkaloybdtyuiolfadfdyehngfszafugyRhvhdnrVdmjTD -dC:\Users\test22\AppData\Local\Temp
        2324
        
        adgfdgbf.exe "C:\Users\test22\AppData\Local\Temp\adgfdgbf.exe"
        2680

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 8, 2023, 6:37 p.m.			0	0
IsDebuggerPresent Aug. 8, 2023, 6:37 p.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Aug. 8, 2023, 6:37 p.m.	buffer: The input line is too long. console_handle: 0x0000000b	1	1	0
WriteConsoleW Aug. 8, 2023, 6:37 p.m.	buffer: The input line is too long. console_handle: 0x0000000b	1	1	0

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 8, 2023, 6:37 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 8, 2023, 6:37 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x723e1194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x722b2ba1 mscorlib+0x2f45b0 @ 0x715645b0 mscorlib+0x2f73b5 @ 0x715673b5 mscorlib+0x2eeb10 @ 0x7155eb10 mscorlib+0x2ec3f4 @ 0x7155c3f4 mscorlib+0x2d8327 @ 0x71548327 mscorlib+0x2d9be9 @ 0x71549be9 mscorlib+0x2d9220 @ 0x71549220 mscorlib+0x2d902d @ 0x7154902d 0x78c8d3 0x78bf09 0x78bd5c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72232652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7224264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72242e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722f74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x722f7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72381dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72381e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72381f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7238416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x741af5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x728d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x728d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 4583820 registers.edi: 0 registers.eax: 4583820 registers.ebp: 4583900 registers.edx: 3 registers.ebx: 5582776 registers.esi: 5411664 registers.ecx: 3246131300	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 8, 2023, 6:37 p.m.

stacktrace:

CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x723e1194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x722b2ba1
mscorlib+0x2f45b0 @ 0x715645b0
mscorlib+0x2f73b5 @ 0x715673b5
mscorlib+0x2eeb10 @ 0x7155eb10
mscorlib+0x2ec3f4 @ 0x7155c3f4
mscorlib+0x2d8327 @ 0x71548327
mscorlib+0x2d9be9 @ 0x71549be9
mscorlib+0x2d9220 @ 0x71549220
mscorlib+0x2d902d @ 0x7154902d
0x78c8d3
0x78bf09
0x78bd5c
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72232652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7224264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72242e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722f74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x722f7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72381dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72381e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72381f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7238416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x741af5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x728d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x728d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 4583820
registers.edi: 0
registers.eax: 4583820
registers.ebp: 4583900
registers.edx: 3
registers.ebx: 5582776
registers.esi: 5411664
registers.ecx: 3246131300

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 59 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72dd2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72cd2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72dd2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732d2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00850000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72231000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72232000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02190000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00352000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00780000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00781000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0035a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 122880 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00782000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00783000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00784000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00785000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00786000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00485000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00787000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00788000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a30000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a30000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a30000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a30000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a30000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0078a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Local\Temp\jinjgrder.sfx.exe
file	C:\Users\test22\AppData\Local\Temp\coyifg.cmd
file	C:\Users\test22\AppData\Local\Temp\yeoma.bat
file	C:\Users\test22\AppData\Local\Temp\jinjgrder.exe
file	C:\Users\test22\AppData\Local\Temp\adgfdgbf.exe
file	C:\Users\test22\AppData\Local\Temp\adgfdgbf.sfx.exe

Drops a binary and executes it (6 events)

file	C:\Users\test22\AppData\Local\Temp\coyifg.cmd
file	C:\Users\test22\AppData\Local\Temp\jinjgrder.sfx.exe
file	C:\Users\test22\AppData\Local\Temp\jinjgrder.exe
file	C:\Users\test22\AppData\Local\Temp\yeoma.bat
file	C:\Users\test22\AppData\Local\Temp\adgfdgbf.sfx.exe
file	C:\Users\test22\AppData\Local\Temp\adgfdgbf.exe

Drops an executable to the user AppData folder (4 events)

file	C:\Users\test22\AppData\Local\Temp\adgfdgbf.exe
file	C:\Users\test22\AppData\Local\Temp\jinjgrder.exe
file	C:\Users\test22\AppData\Local\Temp\jinjgrder.sfx.exe
file	C:\Users\test22\AppData\Local\Temp\adgfdgbf.sfx.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 8, 2023, 6:37 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (10 events)

description	task schedule	rule	schtasks_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2768 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000268	1	0	0

Manipulates memory of a non-child process indicative of process injection (3 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2680 manipulating memory of non-child process 2768
NtUnmapViewOfSection Aug. 8, 2023, 6:37 p.m.	base_address: 0x00400000 region_size: 6488064 process_identifier: 2768 process_handle: 0x00000268		3221225497	0
NtAllocateVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2768 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000268	1	0	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2680 called NtSetContextThread to modify thread in remote process 2768
NtSetContextThread Aug. 8, 2023, 6:37 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4245438 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000264 process_identifier: 2768	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2680 resumed a thread in remote process 2768
NtResumeThread Aug. 8, 2023, 6:37 p.m.	thread_handle: 0x00000264 suspend_count: 1 process_identifier: 2768	1	0	0

Executed a process and injected code into it, probably while unpacking (33 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 8, 2023, 6:37 p.m.	thread_handle: 0x0000017c suspend_count: 1 process_identifier: 2560	1	0
CreateProcessInternalW Aug. 8, 2023, 6:37 p.m.	thread_identifier: 2760 thread_handle: 0x000002d8 process_identifier: 2756 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\coyifg.cmd" filepath_r: stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002cc	1	1
CreateProcessInternalW Aug. 8, 2023, 6:37 p.m.	thread_identifier: 2836 thread_handle: 0x00000084 process_identifier: 2832 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\jinjgrder.sfx.exe track: 1 command_line: jinjgrder.sfx.exe -pthngkiyhasswxgythagtnoiuthnjmdkolqhjyoNomeyjmjhgtprbnhotafugBbsddfdtuxTnYn -dC:\Users\test22\AppData\Local\Temp filepath_r: C:\Users\test22\AppData\Local\Temp\jinjgrder.sfx.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
NtResumeThread Aug. 8, 2023, 6:37 p.m.	thread_handle: 0x00000184 suspend_count: 1 process_identifier: 2832	1	0
CreateProcessInternalW Aug. 8, 2023, 6:37 p.m.	thread_identifier: 2052 thread_handle: 0x000002e4 process_identifier: 3068 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\jinjgrder.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\jinjgrder.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\jinjgrder.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002ec	1	1
NtResumeThread Aug. 8, 2023, 6:37 p.m.	thread_handle: 0x0000017c suspend_count: 1 process_identifier: 3068	1	0
CreateProcessInternalW Aug. 8, 2023, 6:37 p.m.	thread_identifier: 2216 thread_handle: 0x000002d8 process_identifier: 2224 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\yeoma.bat" filepath_r: stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002cc	1	1
CreateProcessInternalW Aug. 8, 2023, 6:37 p.m.	thread_identifier: 2380 thread_handle: 0x00000088 process_identifier: 2324 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\adgfdgbf.sfx.exe track: 1 command_line: adgfdgbf.sfx.exe -peythnfkoligscvmhjfjgBbsdirhndmkaloybdtyuiolfadfdyehngfszafugyRhvhdnrVdmjTD -dC:\Users\test22\AppData\Local\Temp filepath_r: C:\Users\test22\AppData\Local\Temp\adgfdgbf.sfx.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
NtResumeThread Aug. 8, 2023, 6:37 p.m.	thread_handle: 0x00000180 suspend_count: 1 process_identifier: 2324	1	0
CreateProcessInternalW Aug. 8, 2023, 6:37 p.m.	thread_identifier: 2684 thread_handle: 0x000002e0 process_identifier: 2680 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\adgfdgbf.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\adgfdgbf.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\adgfdgbf.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002e8	1	1
NtResumeThread Aug. 8, 2023, 6:37 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2680	1	0
NtResumeThread Aug. 8, 2023, 6:37 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2680	1	0
NtResumeThread Aug. 8, 2023, 6:37 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2680	1	0
NtResumeThread Aug. 8, 2023, 6:37 p.m.	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 2680	1	0
NtGetContextThread Aug. 8, 2023, 6:37 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread Aug. 8, 2023, 6:37 p.m.	thread_handle: 0x000000e4	1	0
NtResumeThread Aug. 8, 2023, 6:37 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2680	1	0
NtGetContextThread Aug. 8, 2023, 6:37 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread Aug. 8, 2023, 6:37 p.m.	thread_handle: 0x000000e4	1	0
NtResumeThread Aug. 8, 2023, 6:37 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2680	1	0
NtResumeThread Aug. 8, 2023, 6:37 p.m.	thread_handle: 0x0000020c suspend_count: 1 process_identifier: 2680	1	0
NtResumeThread Aug. 8, 2023, 6:37 p.m.	thread_handle: 0x00000230 suspend_count: 1 process_identifier: 2680	1	0
NtGetContextThread Aug. 8, 2023, 6:37 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread Aug. 8, 2023, 6:37 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread Aug. 8, 2023, 6:37 p.m.	thread_handle: 0x000000e4	1	0
NtSetContextThread Aug. 8, 2023, 6:37 p.m.	registers.eip: 1915431812 registers.esp: 4584028 registers.edi: 48768 registers.eax: 7471157 registers.ebp: 4584032 registers.edx: 37195148 registers.ebx: 37194956 registers.esi: 32 registers.ecx: 62443512 thread_handle: 0x000000e4 process_identifier: 2680	1	0
NtResumeThread Aug. 8, 2023, 6:37 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2680	1	0
CreateProcessInternalW Aug. 8, 2023, 6:37 p.m.	thread_identifier: 2788 thread_handle: 0x00000264 process_identifier: 2768 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\adgfdgbf.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000268	1	1
NtUnmapViewOfSection Aug. 8, 2023, 6:37 p.m.	base_address: 0x00400000 region_size: 6488064 process_identifier: 2768 process_handle: 0x00000268		3221225497
NtAllocateVirtualMemory Aug. 8, 2023, 6:37 p.m.	process_identifier: 2768 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000268	1	0
NtGetContextThread Aug. 8, 2023, 6:37 p.m.	thread_handle: 0x00000264	1	0
NtSetContextThread Aug. 8, 2023, 6:37 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4245438 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000264 process_identifier: 2768	1	0
NtResumeThread Aug. 8, 2023, 6:37 p.m.	thread_handle: 0x00000264 suspend_count: 1 process_identifier: 2768	1	0

isuhgb.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All