Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 25, 2023, 5 p.m.	Sept. 25, 2023, 5:04 p.m.

Size	1.3MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`eaf2b6671ec5dded98f2a7fe6aa603c7`
SHA256	`2dfe662fdf9cdb98f44cb0307188837be6b3e8aacace0b1725b95def11519dc0`
CRC32	`87A4180D`
ssdeep	`24576:dA86BOzKx1EfrvUYZCVZTui+e0+rEITX0BZMnjYtpISZOnzwp:dioWvEYVVZTSB+rEITEBZMnjYjZc`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Is_DotNET_EXE - (no description)

docjhny20230925.exe "C:\Users\test22\AppData\Local\Temp\docjhny20230925.exe"
912
- docjhny20230925.exe "C:\Users\test22\AppData\Local\Temp\docjhny20230925.exe"
  2504
  - johnny10121.exe "C:\Users\test22\AppData\Roaming\johnny10121.exe"
    2608
    - svchost.exe "C:\Users\test22\AppData\Local\Temp\svchost.exe"
      3064
      - svchost.exe "C:\Users\test22\AppData\Local\Temp\svchost.exe"
        292
      - cmd.exe "cmd" /c mkdir "C:\Users\test22\AppData\Roaming\avast"
        2972
      - cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\avast\avast.exe'" /f
        3044
        
        schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\avast\avast.exe'" /f
        2392
      - cmd.exe "cmd" /c copy "C:\Users\test22\AppData\Local\Temp\svchost.exe" "C:\Users\test22\AppData\Roaming\avast\avast.exe"
        2464
- svchost.exe "C:\Users\test22\AppData\Local\Temp\svchost.exe"
  2628
  - svchost.exe "C:\Users\test22\AppData\Local\Temp\svchost.exe"
    724
  - cmd.exe "cmd" /c mkdir "C:\Users\test22\AppData\Roaming\avast"
    2132
  - cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\avast\avast.exe'" /f
    2516
    - schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\avast\avast.exe'" /f
      2780
  - cmd.exe "cmd" /c copy "C:\Users\test22\AppData\Local\Temp\svchost.exe" "C:\Users\test22\AppData\Roaming\avast\avast.exe"
    2676
- cmd.exe "cmd" /c mkdir "C:\Users\test22\AppData\Roaming\svchost"
  2708
- cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f
  2752
  - schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f
    2908
- cmd.exe "cmd" /c copy "C:\Users\test22\AppData\Local\Temp\docjhny20230925.exe" "C:\Users\test22\AppData\Roaming\svchost\svchost.exe"
  2800

Name	Response	Post-Analysis Lookup
mail.royalcheckout.store	CNAME royalcheckout.store A 179.43.183.46	179.43.183.46
softwarez.online
api.ipify.org	A 173.231.16.77 A 64.185.227.156 CNAME api4.ipify.org A 104.237.62.212	104.237.62.212

IP Address	Status	Action
164.124.101.2	Active	Moloch
179.43.183.46	Active	Moloch
64.185.227.156	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2047702	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup	Misc activity
UDP 192.168.56.103:52760 -> 8.8.8.8:53	2047702	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup	Misc activity
TCP 64.185.227.156:443 -> 192.168.56.103:49172	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49172 -> 64.185.227.156:443	2047703	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI	Misc activity
TCP 192.168.56.103:49172 -> 64.185.227.156:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49172 -> 64.185.227.156:443	2047703	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI	Misc activity
TCP 179.43.183.46:587 -> 192.168.56.103:49174	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode
TCP 179.43.183.46:587 -> 192.168.56.103:49174	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49174 -> 179.43.183.46:587	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49172 -> 64.185.227.156:443	2047703	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (11 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 25, 2023, 5 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 25, 2023, 5 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 25, 2023, 5 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 25, 2023, 5 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 25, 2023, 5 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 25, 2023, 5 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 25, 2023, 5 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 25, 2023, 5 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 25, 2023, 5 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 25, 2023, 5:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 25, 2023, 5:01 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (14 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 25, 2023, 5 p.m.			0	0
IsDebuggerPresent Sept. 25, 2023, 5 p.m.			0	0
IsDebuggerPresent Sept. 25, 2023, 5 p.m.			0	0
IsDebuggerPresent Sept. 25, 2023, 5 p.m.			0	0
IsDebuggerPresent Sept. 25, 2023, 5 p.m.			0	0
IsDebuggerPresent Sept. 25, 2023, 5 p.m.			0	0
IsDebuggerPresent Sept. 25, 2023, 5 p.m.			0	0
IsDebuggerPresent Sept. 25, 2023, 5 p.m.			0	0
IsDebuggerPresent Sept. 25, 2023, 5 p.m.			0	0
IsDebuggerPresent Sept. 25, 2023, 5 p.m.			0	0
IsDebuggerPresent Sept. 25, 2023, 5:01 p.m.			0	0
IsDebuggerPresent Sept. 25, 2023, 5:01 p.m.			0	0
IsDebuggerPresent Sept. 25, 2023, 5:01 p.m.			0	0
IsDebuggerPresent Sept. 25, 2023, 5:01 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (50 out of 72 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 25, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cf770 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cf770 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cf770 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cf770 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cf830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cf830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cf830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cf970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cf970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cf970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cf970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cf870 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cf870 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cf7b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cf7b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cf7b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cf7b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cf7b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cf7b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cf7b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00541718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00541718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00541718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00541718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00567d50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00567d50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00567d50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00567d50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c1120 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c1120 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c1120 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c1120 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c1120 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c1120 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c1120 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c1360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c1360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c1360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c1360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c1260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c1260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c1220 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071bf58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071bf58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071bf58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071bf58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00744b00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00744b00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00744b00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00744b00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 25, 2023, 5 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 25, 2023, 5 p.m.	stacktrace: 0x930a3c 0x930962 0x930731 0x930084 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f62652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f72e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x740274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74027610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x740b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x740b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x740b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x740b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7460f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74897f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74894de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc ff 15 1c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x933d25 registers.esp: 4649236 registers.edi: 4649260 registers.eax: 0 registers.ebp: 4649272 registers.edx: 195 registers.ebx: 35367392 registers.esi: 35371352 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Sept. 25, 2023, 5 p.m.

stacktrace:

0x930a3c
0x930962
0x930731
0x930084
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f62652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f72e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x740274ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74027610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x740b1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x740b1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x740b1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x740b416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7460f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74897f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74894de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc ff 15 1c
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x933d25
registers.esp: 4649236
registers.edi: 4649260
registers.eax: 0
registers.ebp: 4649272
registers.edx: 195
registers.ebx: 35367392
registers.esi: 35371352
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 183 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 912 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00890000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 912 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00412000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00455000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00457000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00436000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00437000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0084f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00840000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 2504 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00820000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00940000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 2504 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00630000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 2608 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00690000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 2608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 2608 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 2608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02100000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 2608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00332000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (11 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Looks up the external IP address (1 event)

domain

api.ipify.org

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\johnny10121.exe
file	C:\Users\test22\AppData\Local\Temp\svchost.exe

Creates a suspicious process (10 events)

cmdline	"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f
cmdline	"C:\Users\test22\AppData\Local\Temp\svchost.exe"
cmdline	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f
cmdline	"cmd" /c mkdir "C:\Users\test22\AppData\Roaming\svchost"
cmdline	"cmd" /c copy "C:\Users\test22\AppData\Local\Temp\svchost.exe" "C:\Users\test22\AppData\Roaming\avast\avast.exe"
cmdline	"C:\Users\test22\AppData\Local\Temp\svchost.exe"
cmdline	C:\Users\test22\AppData\Local\Temp\svchost.exe
cmdline	"cmd" /c copy "C:\Users\test22\AppData\Local\Temp\docjhny20230925.exe" "C:\Users\test22\AppData\Roaming\svchost\svchost.exe"
cmdline	"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\avast\avast.exe'" /f
cmdline	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\avast\avast.exe'" /f

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\svchost.exe
file	C:\Users\test22\AppData\Roaming\johnny10121.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Roaming\johnny10121.exe
file	C:\Users\test22\AppData\Local\Temp\svchost.exe

A process created a hidden window (9 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Sept. 25, 2023, 5 p.m.	thread_identifier: 2712 thread_handle: 0x0000042c process_identifier: 2708 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c mkdir "C:\Users\test22\AppData\Roaming\svchost" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003ec	1	1
CreateProcessInternalW Sept. 25, 2023, 5 p.m.	thread_identifier: 2756 thread_handle: 0x0000042c process_identifier: 2752 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000454	1	1
CreateProcessInternalW Sept. 25, 2023, 5 p.m.	thread_identifier: 2804 thread_handle: 0x0000042c process_identifier: 2800 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c copy "C:\Users\test22\AppData\Local\Temp\docjhny20230925.exe" "C:\Users\test22\AppData\Roaming\svchost\svchost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000045c	1	1
CreateProcessInternalW Sept. 25, 2023, 5:01 p.m.	thread_identifier: 2028 thread_handle: 0x00000294 process_identifier: 2132 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c mkdir "C:\Users\test22\AppData\Roaming\avast" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002a8	1	1
CreateProcessInternalW Sept. 25, 2023, 5:01 p.m.	thread_identifier: 2532 thread_handle: 0x00000294 process_identifier: 2516 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\avast\avast.exe'" /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002b4	1	1
CreateProcessInternalW Sept. 25, 2023, 5:01 p.m.	thread_identifier: 2656 thread_handle: 0x00000294 process_identifier: 2676 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c copy "C:\Users\test22\AppData\Local\Temp\svchost.exe" "C:\Users\test22\AppData\Roaming\avast\avast.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002b8	1	1
CreateProcessInternalW Sept. 25, 2023, 5:01 p.m.	thread_identifier: 3036 thread_handle: 0x00000294 process_identifier: 2972 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c mkdir "C:\Users\test22\AppData\Roaming\avast" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002a8	1	1
CreateProcessInternalW Sept. 25, 2023, 5:01 p.m.	thread_identifier: 2068 thread_handle: 0x00000294 process_identifier: 3044 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\avast\avast.exe'" /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002b4	1	1
CreateProcessInternalW Sept. 25, 2023, 5:01 p.m.	thread_identifier: 2468 thread_handle: 0x00000294 process_identifier: 2464 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c copy "C:\Users\test22\AppData\Local\Temp\svchost.exe" "C:\Users\test22\AppData\Roaming\avast\avast.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002b8	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 25, 2023, 5 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00122c00', u'virtual_address': u'0x00002000', u'entropy': 7.980574836792098, u'name': u'.text', u'virtual_size': u'0x00122b20'}

entropy

7.98057483679

description

A section with a high entropy has been found

entropy

0.878730638459

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 25, 2023, 5 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (26 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications smtp	rule	Network_SMTP_dotNet
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Run a KeyLogger	rule	KeyLogger

Created a process named as a common system process (6 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Sept. 25, 2023, 5 p.m.	thread_identifier: 2632 thread_handle: 0x00000454 process_identifier: 2628 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\svchost.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\svchost.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000045c	1	1
ShellExecuteExW Sept. 25, 2023, 5 p.m.	show_type: 1 filepath_r: C:\Users\test22\AppData\Local\Temp\\svchost.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\svchost.exe	1	1
CreateProcessInternalW Sept. 25, 2023, 5 p.m.	thread_identifier: 3068 thread_handle: 0x000006cc process_identifier: 3064 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\svchost.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\svchost.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000006d4	1	1
ShellExecuteExW Sept. 25, 2023, 5 p.m.	show_type: 1 filepath_r: C:\Users\test22\AppData\Local\Temp\\svchost.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\svchost.exe	1	1
CreateProcessInternalW Sept. 25, 2023, 5:01 p.m.	thread_identifier: 1188 thread_handle: 0x00000274 process_identifier: 724 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\svchost.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\svchost.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000278	1	1
CreateProcessInternalW Sept. 25, 2023, 5:01 p.m.	thread_identifier: 1836 thread_handle: 0x00000274 process_identifier: 292 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\svchost.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\svchost.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000278	1	1

Uses Windows utilities for basic Windows functionality (6 events)

cmdline	"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f
cmdline	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f
cmdline	"cmd" /c mkdir "C:\Users\test22\AppData\Roaming\svchost"
cmdline	"cmd" /c mkdir "C:\Users\test22\AppData\Roaming\avast"
cmdline	"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\avast\avast.exe'" /f
cmdline	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\avast\avast.exe'" /f

Makes SMTP requests, possibly sending spam (1 event)

receiver

[]

sender

[]

server

179.43.183.46

Allocates execute permission to another process indicative of possible code injection (5 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 2504 region_size: 417792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000278	1	0
NtAllocateVirtualMemory Sept. 25, 2023, 5:01 p.m.	process_identifier: 724 region_size: 98304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000278		3221225496
NtAllocateVirtualMemory Sept. 25, 2023, 5:01 p.m.	process_identifier: 724 region_size: 98304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000278	1	0
NtAllocateVirtualMemory Sept. 25, 2023, 5:01 p.m.	process_identifier: 292 region_size: 98304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000278		3221225496
NtAllocateVirtualMemory Sept. 25, 2023, 5:01 p.m.	process_identifier: 292 region_size: 98304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000278	1	0

A process attempted to delay the analysis task. (1 event)

description

johnny10121.exe tried to sleep 2728223 seconds, actually delayed analysis time by 2728223 seconds

Installs itself for autorun at Windows startup (4 events)

cmdline	"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f
cmdline	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f
cmdline	"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\avast\avast.exe'" /f
cmdline	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\avast\avast.exe'" /f

Harvests credentials from local FTP client softwares (5 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect
file	C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
registry	HKEY_CURRENT_USER\SOFTWARE\FTPWare\COREFTP\Sites

Potential code injection by writing to the memory of another process (10 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Sept. 25, 2023, 5 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL´¢eàø. @ `@ØS 8@ H.text4÷ ø `.rsrc8 ú@@.reloc@þ@B base_address: 0x00400000 process_identifier: 2504 process_handle: 0x00000278	1	1
WriteProcessMemory Sept. 25, 2023, 5 p.m.	buffer: 0HX àà4VS_VERSION_INFO½ïþ-Y-Y?DVarFileInfo$Translation°@StringFileInfo000004b00CompanyNamecommonHFileDescriptiondrenchdownward4 FileVersion4.7.89.454 InternalNamejohn.exeHLegalCopyrightpresent © drunken< OriginalFilenamejohn.exe,ProductNamebelly8 ProductVersion4.7.89.45< Assembly Version4.7.89.45 base_address: 0x00462000 process_identifier: 2504 process_handle: 0x00000278	1	1
WriteProcessMemory Sept. 25, 2023, 5 p.m.	buffer: 07 base_address: 0x00464000 process_identifier: 2504 process_handle: 0x00000278	1	1
WriteProcessMemory Sept. 25, 2023, 5 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2504 process_handle: 0x00000278	1	1
WriteProcessMemory Sept. 25, 2023, 5:01 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL²X`à þ= @@ .@¤=W@¸ ` H.text `.rsrc¸ @"@@.reloc`0@B base_address: 0x000b0000 process_identifier: 724 process_handle: 0x00000278	1	1
WriteProcessMemory Sept. 25, 2023, 5:01 p.m.	buffer: 0> base_address: 0x000c6000 process_identifier: 724 process_handle: 0x00000278	1	1
WriteProcessMemory Sept. 25, 2023, 5:01 p.m.	buffer: base_address: 0x7efde008 process_identifier: 724 process_handle: 0x00000278	1	1
WriteProcessMemory Sept. 25, 2023, 5:01 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL²X`à þ= @@ .@¤=W@¸ ` H.text `.rsrc¸ @"@@.reloc`0@B base_address: 0x000b0000 process_identifier: 292 process_handle: 0x00000278	1	1
WriteProcessMemory Sept. 25, 2023, 5:01 p.m.	buffer: 0> base_address: 0x000c6000 process_identifier: 292 process_handle: 0x00000278	1	1
WriteProcessMemory Sept. 25, 2023, 5:01 p.m.	buffer: base_address: 0x7efde008 process_identifier: 292 process_handle: 0x00000278	1	1

Code injection by writing an executable or DLL to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Sept. 25, 2023, 5 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL´¢eàø. @ `@ØS 8@ H.text4÷ ø `.rsrc8 ú@@.reloc@þ@B base_address: 0x00400000 process_identifier: 2504 process_handle: 0x00000278	1	1
WriteProcessMemory Sept. 25, 2023, 5:01 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL²X`à þ= @@ .@¤=W@¸ ` H.text `.rsrc¸ @"@@.reloc`0@B base_address: 0x000b0000 process_identifier: 724 process_handle: 0x00000278	1	1
WriteProcessMemory Sept. 25, 2023, 5:01 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL²X`à þ= @@ .@¤=W@¸ ` H.text `.rsrc¸ @"@@.reloc`0@B base_address: 0x000b0000 process_identifier: 292 process_handle: 0x00000278	1	1

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA Sept. 25, 2023, 5 p.m.	thread_identifier: 0 callback_function: 0x007608ca hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00970000	1	524713	0

Harvests credentials from local email clients (6 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 912 called NtSetContextThread to modify thread in remote process 2504
Process injection	Process 2628 called NtSetContextThread to modify thread in remote process 724
Process injection	Process 3064 called NtSetContextThread to modify thread in remote process 292
NtSetContextThread Sept. 25, 2023, 5 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4593454 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000274 process_identifier: 2504	1	0	0
NtSetContextThread Sept. 25, 2023, 5:01 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4210174 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000274 process_identifier: 724	1	0	0
NtSetContextThread Sept. 25, 2023, 5:01 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4210174 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000274 process_identifier: 292	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 912 resumed a thread in remote process 2504
Process injection	Process 2628 resumed a thread in remote process 724
Process injection	Process 3064 resumed a thread in remote process 292
NtResumeThread Sept. 25, 2023, 5 p.m.	thread_handle: 0x00000274 suspend_count: 1 process_identifier: 2504	1	0	0
NtResumeThread Sept. 25, 2023, 5:01 p.m.	thread_handle: 0x00000274 suspend_count: 1 process_identifier: 724	1	0	0
NtResumeThread Sept. 25, 2023, 5:01 p.m.	thread_handle: 0x00000274 suspend_count: 1 process_identifier: 292	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 78 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 25, 2023, 5 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 912	1	0
NtResumeThread Sept. 25, 2023, 5 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 912	1	0
NtResumeThread Sept. 25, 2023, 5 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 912	1	0
CreateProcessInternalW Sept. 25, 2023, 5 p.m.	thread_identifier: 2508 thread_handle: 0x00000274 process_identifier: 2504 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\docjhny20230925.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\docjhny20230925.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\docjhny20230925.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000278	1	1
NtGetContextThread Sept. 25, 2023, 5 p.m.	thread_handle: 0x00000274	1	0
NtAllocateVirtualMemory Sept. 25, 2023, 5 p.m.	process_identifier: 2504 region_size: 417792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000278	1	0
WriteProcessMemory Sept. 25, 2023, 5 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL´¢eàø. @ `@ØS 8@ H.text4÷ ø `.rsrc8 ú@@.reloc@þ@B base_address: 0x00400000 process_identifier: 2504 process_handle: 0x00000278	1	1
WriteProcessMemory Sept. 25, 2023, 5 p.m.	buffer: base_address: 0x00402000 process_identifier: 2504 process_handle: 0x00000278	1	1
WriteProcessMemory Sept. 25, 2023, 5 p.m.	buffer: 0HX àà4VS_VERSION_INFO½ïþ-Y-Y?DVarFileInfo$Translation°@StringFileInfo000004b00CompanyNamecommonHFileDescriptiondrenchdownward4 FileVersion4.7.89.454 InternalNamejohn.exeHLegalCopyrightpresent © drunken< OriginalFilenamejohn.exe,ProductNamebelly8 ProductVersion4.7.89.45< Assembly Version4.7.89.45 base_address: 0x00462000 process_identifier: 2504 process_handle: 0x00000278	1	1
WriteProcessMemory Sept. 25, 2023, 5 p.m.	buffer: 07 base_address: 0x00464000 process_identifier: 2504 process_handle: 0x00000278	1	1
WriteProcessMemory Sept. 25, 2023, 5 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2504 process_handle: 0x00000278	1	1
NtSetContextThread Sept. 25, 2023, 5 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4593454 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000274 process_identifier: 2504	1	0
NtResumeThread Sept. 25, 2023, 5 p.m.	thread_handle: 0x00000274 suspend_count: 1 process_identifier: 2504	1	0
NtResumeThread Sept. 25, 2023, 5 p.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 912	1	0
CreateProcessInternalW Sept. 25, 2023, 5 p.m.	thread_identifier: 2632 thread_handle: 0x00000454 process_identifier: 2628 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\svchost.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\svchost.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000045c	1	1
CreateProcessInternalW Sept. 25, 2023, 5 p.m.	thread_identifier: 2712 thread_handle: 0x0000042c process_identifier: 2708 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c mkdir "C:\Users\test22\AppData\Roaming\svchost" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003ec	1	1
CreateProcessInternalW Sept. 25, 2023, 5 p.m.	thread_identifier: 2756 thread_handle: 0x0000042c process_identifier: 2752 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000454	1	1
CreateProcessInternalW Sept. 25, 2023, 5 p.m.	thread_identifier: 2804 thread_handle: 0x0000042c process_identifier: 2800 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c copy "C:\Users\test22\AppData\Local\Temp\docjhny20230925.exe" "C:\Users\test22\AppData\Roaming\svchost\svchost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000045c	1	1
NtResumeThread Sept. 25, 2023, 5 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2504	1	0
NtResumeThread Sept. 25, 2023, 5 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2504	1	0
NtResumeThread Sept. 25, 2023, 5 p.m.	thread_handle: 0x000001c0 suspend_count: 1 process_identifier: 2504	1	0
CreateProcessInternalW Sept. 25, 2023, 5 p.m.	thread_identifier: 2612 thread_handle: 0x00000380 process_identifier: 2608 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\johnny10121.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\johnny10121.exe" filepath_r: C:\Users\test22\AppData\Roaming\johnny10121.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000388	1	1
NtResumeThread Sept. 25, 2023, 5 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2608	1	0
NtResumeThread Sept. 25, 2023, 5 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2608	1	0
NtResumeThread Sept. 25, 2023, 5 p.m.	thread_handle: 0x000001c4 suspend_count: 1 process_identifier: 2608	1	0
NtResumeThread Sept. 25, 2023, 5 p.m.	thread_handle: 0x00000284 suspend_count: 1 process_identifier: 2608	1	0
NtResumeThread Sept. 25, 2023, 5 p.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 2608	1	0
NtResumeThread Sept. 25, 2023, 5 p.m.	thread_handle: 0x00000368 suspend_count: 1 process_identifier: 2608	1	0
NtResumeThread Sept. 25, 2023, 5 p.m.	thread_handle: 0x0000039c suspend_count: 1 process_identifier: 2608	1	0
NtResumeThread Sept. 25, 2023, 5 p.m.	thread_handle: 0x000004e0 suspend_count: 1 process_identifier: 2608	1	0
CreateProcessInternalW Sept. 25, 2023, 5 p.m.	thread_identifier: 3068 thread_handle: 0x000006cc process_identifier: 3064 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\svchost.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\svchost.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000006d4	1	1
NtResumeThread Sept. 25, 2023, 5 p.m.	thread_handle: 0x000006f0 suspend_count: 1 process_identifier: 2608	1	0
NtResumeThread Sept. 25, 2023, 5 p.m.	thread_handle: 0x00000394 suspend_count: 1 process_identifier: 2608	1	0
NtResumeThread Sept. 25, 2023, 5 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2628	1	0
NtResumeThread Sept. 25, 2023, 5 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2628	1	0
NtResumeThread Sept. 25, 2023, 5 p.m.	thread_handle: 0x000001d0 suspend_count: 1 process_identifier: 2628	1	0
CreateProcessInternalW Sept. 25, 2023, 5:01 p.m.	thread_identifier: 1188 thread_handle: 0x00000274 process_identifier: 724 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\svchost.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\svchost.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000278	1	1
NtGetContextThread Sept. 25, 2023, 5:01 p.m.	thread_handle: 0x00000274	1	0
NtAllocateVirtualMemory Sept. 25, 2023, 5:01 p.m.	process_identifier: 724 region_size: 98304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000278		3221225496
NtAllocateVirtualMemory Sept. 25, 2023, 5:01 p.m.	process_identifier: 724 region_size: 98304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000278	1	0
WriteProcessMemory Sept. 25, 2023, 5:01 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL²X`à þ= @@ .@¤=W@¸ ` H.text `.rsrc¸ @"@@.reloc`0@B base_address: 0x000b0000 process_identifier: 724 process_handle: 0x00000278	1	1
WriteProcessMemory Sept. 25, 2023, 5:01 p.m.	buffer: base_address: 0x000b2000 process_identifier: 724 process_handle: 0x00000278	1	1
WriteProcessMemory Sept. 25, 2023, 5:01 p.m.	buffer: base_address: 0x000b4000 process_identifier: 724 process_handle: 0x00000278	1	1
WriteProcessMemory Sept. 25, 2023, 5:01 p.m.	buffer: 0> base_address: 0x000c6000 process_identifier: 724 process_handle: 0x00000278	1	1
WriteProcessMemory Sept. 25, 2023, 5:01 p.m.	buffer: base_address: 0x7efde008 process_identifier: 724 process_handle: 0x00000278	1	1
NtSetContextThread Sept. 25, 2023, 5:01 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4210174 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000274 process_identifier: 724	1	0
NtResumeThread Sept. 25, 2023, 5:01 p.m.	thread_handle: 0x00000274 suspend_count: 1 process_identifier: 724	1	0
CreateProcessInternalW Sept. 25, 2023, 5:01 p.m.	thread_identifier: 2028 thread_handle: 0x00000294 process_identifier: 2132 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c mkdir "C:\Users\test22\AppData\Roaming\avast" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002a8	1	1
CreateProcessInternalW Sept. 25, 2023, 5:01 p.m.	thread_identifier: 2532 thread_handle: 0x00000294 process_identifier: 2516 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\avast\avast.exe'" /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002b4	1	1
CreateProcessInternalW Sept. 25, 2023, 5:01 p.m.	thread_identifier: 2656 thread_handle: 0x00000294 process_identifier: 2676 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c copy "C:\Users\test22\AppData\Local\Temp\svchost.exe" "C:\Users\test22\AppData\Roaming\avast\avast.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002b8	1	1

docjhny20230925.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All