Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 31, 2023, 9:14 a.m.	Oct. 31, 2023, 9:16 a.m.

Size	200.0KB
Type	ASCII text, with very long lines
MD5	`fdfd15e9fad07371318a7a30e8d9646e`
SHA256	`40a7240d513c153891985d9445215a11fb340e277eacef40bb6260747126685a`
CRC32	`9E35BCB8`
ssdeep	`6144:MQcZI583j+TAlalL1xW/RdOj19G48aXE4p/+Y:Xc6TAw5P/pHUI/3`
Yara	None matched

explorer.exe C:\Windows\Explorer.EXE
1452
javaw.exe "C:\Users\test22\AppData\Roaming\jre7\bin\javaw.exe" -jar "C:\Users\test22\AppData\Roaming\ahyzzfonw.txt"
3064
- icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  1728
- java.exe "C:\Users\test22\AppData\Roaming\jre7\bin\java.exe" -jar "C:\Users\test22\AppData\Roaming\jre7\ahyzzfonw.txt"
  2272
  - java.exe "C:\Users\test22\AppData\Roaming\jre7\bin\java.exe" -jar "C:\Users\test22\ahyzzfonw.txt"
    204
    - cmd.exe cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\ahyzzfonw.txt"
      2288
      - schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\ahyzzfonw.txt"
        1320
    - java.exe "C:\Users\test22\AppData\Roaming\jre7\bin\java.exe" -jar "C:\Users\test22\AppData\Roaming\ahyzzfonw.txt"
      1616

Name	Response	Post-Analysis Lookup
repo1.maven.org	A 151.101.40.209 CNAME dualstack.sonatype.map.fastly.net	199.232.196.209
50kteam.dynamic-dns.net	A 185.222.58.83	185.222.58.83
github.com	A 20.200.245.247	20.200.245.247
objects.githubusercontent.com	A 185.199.109.133 A 185.199.111.133 A 185.199.110.133 A 185.199.108.133	185.199.109.133
wshsoft.company	A 185.232.14.169	185.232.14.169

IP Address	Status	Action
151.101.40.209	Active	Moloch
164.124.101.2	Active	Moloch
185.199.110.133	Active	Moloch
185.232.14.169	Active	Moloch
185.222.58.83	Active	Moloch
20.200.245.247	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49171 185.199.110.133:443	C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=*.github.io	a1:46:14:c7:2a:1d:52:79:f6:aa:2b:b2:c5:0a:3b:d3:f5:02:06:75
TLS 1.2 192.168.56.101:49170 151.101.40.209:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2023 Q1	CN=repo1.maven.org	94:bc:2a:d0:1a:cf:41:94:d4:9a:de:44:ab:b4:42:39:8a:f6:bf:f3
TLS 1.2 192.168.56.101:49169 151.101.40.209:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2023 Q1	CN=repo1.maven.org	94:bc:2a:d0:1a:cf:41:94:d4:9a:de:44:ab:b4:42:39:8a:f6:bf:f3
TLS 1.2 192.168.56.101:49167 20.200.245.247:443	C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=github.com	a3:b5:9e:5f:e8:84:ee:1f:34:d9:8e:ef:85:8e:3f:b6:62:ac:10:4a
TLS 1.2 192.168.56.101:49168 151.101.40.209:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2023 Q1	CN=repo1.maven.org	94:bc:2a:d0:1a:cf:41:94:d4:9a:de:44:ab:b4:42:39:8a:f6:bf:f3

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 31, 2023, 9:15 a.m.	computer_name: TEST22-PC	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 31, 2023, 9:14 a.m.		1	1	0

One or more processes crashed (8 events)

Time & API	Arguments	Status
__exception__ Oct. 31, 2023, 9:14 a.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2540202 registers.esp: 12448728 registers.edi: 2969800 registers.eax: 6 registers.ebp: 1927285648 registers.edx: 0 registers.ebx: 133120 registers.esi: 0 registers.ecx: 3405691582	1
__exception__ Oct. 31, 2023, 9:14 a.m.	stacktrace: _JVM_StartThread@8+0x1eb _JVM_StopThread@12-0x35 jvm+0x112a1b @ 0x72b72a1b 0x254db31 0x2544864 0x2544864 0x2544864 0x2544864 0x2544864 0x2544864 0x2544864 0x2540697 jio_vsnprintf+0x52194 _JVM_EnqueueOperation@20-0x657dc jvm+0x1653c4 @ 0x72bc53c4 _JVM_RegisterSignal@8+0x6ac2b ??_7VM_Operation@@6B@-0x9dff9 jvm+0x2360ab @ 0x72c960ab jio_vsnprintf+0x51d3a _JVM_EnqueueOperation@20-0x65c36 jvm+0x164f6a @ 0x72bc4f6a AsyncGetCallTrace+0x10015 JNI_CreateJavaVM-0x85b jvm+0xebc35 @ 0x72b4bc35 AsyncGetCallTrace+0x8896 JNI_CreateJavaVM-0x7fda jvm+0xe44b6 @ 0x72b444b6 javaw+0x2322 @ 0x1102322 exception.instruction_r: c7 04 08 01 00 00 00 eb 0c ff 75 ec e8 e4 78 1c exception.instruction: mov dword ptr [eax + ecx], 1 exception.exception_code: 0xc0000005 exception.symbol: _JVM_GetVmMemoryPressure@0-0x12655 jvm+0x9bcb exception.address: 0x72a69bcb registers.esp: 12448820 registers.edi: 2968576 registers.eax: 11730944 registers.ebp: 12448860 registers.edx: 356933424 registers.ebx: 341979248 registers.esi: 2968576 registers.ecx: 2432	1
__exception__ Oct. 31, 2023, 9:14 a.m.	stacktrace: 0x2544345 0x2544345 0x25447c4 0x25447f9 0x25447c4 0x2544864 0x25447f9 0x2544864 0x2544864 0x2544864 0x2544864 0x2544864 0x2544864 0x2544864 0x25447c4 0x25447c4 0x25447c4 0x2544864 0x2544864 0x2544864 0x2544899 0x2540697 jio_vsnprintf+0x52194 _JVM_EnqueueOperation@20-0x657dc jvm+0x1653c4 @ 0x72bc53c4 _JVM_RegisterSignal@8+0x6ac2b ??_7VM_Operation@@6B@-0x9dff9 jvm+0x2360ab @ 0x72c960ab jio_vsnprintf+0x52947 _JVM_EnqueueOperation@20-0x65029 jvm+0x165b77 @ 0x72bc5b77 jio_vsnprintf+0x52886 _JVM_EnqueueOperation@20-0x650ea jvm+0x165ab6 @ 0x72bc5ab6 JNI_GetDefaultJavaVMInitArgs+0x14b8b _JVM_Accept@12-0x9d5 jvm+0x10116b @ 0x72b6116b jio_vsnprintf+0x769a4 _JVM_EnqueueOperation@20-0x40fcc jvm+0x189bd4 @ 0x72be9bd4 _JVM_RegisterSignal@8+0x3bcb ??_7VM_Operation@@6B@-0x105059 jvm+0x1cf04b @ 0x72c2f04b _o_iswdigit+0x5f _o_rand-0x151 ucrtbase+0x3deef @ 0x735edeef BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 85 05 00 01 b2 00 c3 90 90 64 8b 34 25 00 00 00 exception.instruction: test eax, dword ptr [0xb20100] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x266c2c8 registers.esp: 358150396 registers.edi: 16 registers.eax: 77907272 registers.ebp: 358150532 registers.edx: 77906064 registers.ebx: 77906400 registers.esi: 77906320 registers.ecx: 77907272	1
__exception__ Oct. 31, 2023, 9:15 a.m.	stacktrace: jio_vsnprintf+0x54431 _JVM_EnqueueOperation@20-0x6353f jvm+0x167661 @ 0x72bc7661 jio_vsnprintf+0x73b0a _JVM_EnqueueOperation@20-0x43e66 jvm+0x186d3a @ 0x72be6d3a jio_vsnprintf+0x769bc _JVM_EnqueueOperation@20-0x40fb4 jvm+0x189bec @ 0x72be9bec _JVM_RegisterSignal@8+0x3bcb ??_7VM_Operation@@6B@-0x105059 jvm+0x1cf04b @ 0x72c2f04b _o_iswdigit+0x5f _o_rand-0x151 ucrtbase+0x3deef @ 0x735edeef BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c7 04 08 01 00 00 00 eb 0c ff 75 ec e8 e4 78 1c exception.instruction: mov dword ptr [eax + ecx], 1 exception.exception_code: 0xc0000005 exception.symbol: _JVM_GetVmMemoryPressure@0-0x12655 jvm+0x9bcb exception.address: 0x72a69bcb registers.esp: 365164528 registers.edi: 2955216 registers.eax: 11730944 registers.ebp: 365164568 registers.edx: 0 registers.ebx: 367187968 registers.esi: 367187968 registers.ecx: 2816	1
__exception__ Oct. 31, 2023, 9:15 a.m.	stacktrace: 0x26aeafc 0x25444f0 0x25444f0 0x25444f0 0x25444f0 0x25444f0 0x25444f0 0x25444f0 0x25447c4 0x25447c4 0x25447c4 0x25447c4 0x25447c4 0x25447c4 0x25447c4 0x26ad2e4 0x25444f0 0x25444f0 0x25444f0 0x26ad284 0x2544864 0x2544864 0x2544864 0x2544899 0x2540697 jio_vsnprintf+0x52194 _JVM_EnqueueOperation@20-0x657dc jvm+0x1653c4 @ 0x72bc53c4 _JVM_RegisterSignal@8+0x6ac2b ??_7VM_Operation@@6B@-0x9dff9 jvm+0x2360ab @ 0x72c960ab jio_vsnprintf+0x52947 _JVM_EnqueueOperation@20-0x65029 jvm+0x165b77 @ 0x72bc5b77 jio_vsnprintf+0x52886 _JVM_EnqueueOperation@20-0x650ea jvm+0x165ab6 @ 0x72bc5ab6 JNI_GetDefaultJavaVMInitArgs+0x14b8b _JVM_Accept@12-0x9d5 jvm+0x10116b @ 0x72b6116b jio_vsnprintf+0x769a4 _JVM_EnqueueOperation@20-0x40fcc jvm+0x189bd4 @ 0x72be9bd4 _JVM_RegisterSignal@8+0x3bcb ??_7VM_Operation@@6B@-0x105059 jvm+0x1cf04b @ 0x72c2f04b _o_iswdigit+0x5f _o_rand-0x151 ucrtbase+0x3deef @ 0x735edeef BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 85 05 00 01 b2 00 8b da 89 bc 24 a0 00 00 00 89 exception.instruction: test eax, dword ptr [0xb20100] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x26a2c9d registers.esp: 360247120 registers.edi: 1424717312 registers.eax: 2633419037 registers.ebp: 360247552 registers.edx: 1762408953 registers.ebx: 3774873600 registers.esi: 3947110042 registers.ecx: 73	1
__exception__ Oct. 31, 2023, 9:15 a.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2610202 registers.esp: 12580268 registers.edi: 3956704 registers.eax: 6 registers.ebp: 1923222416 registers.edx: 0 registers.ebx: 16910336 registers.esi: 0 registers.ecx: 3405691582	1
__exception__ Oct. 31, 2023, 9:15 a.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2610202 registers.esp: 14612828 registers.edi: 6576328 registers.eax: 6 registers.ebp: 1927285648 registers.edx: 0 registers.ebx: 133120 registers.esi: 0 registers.ecx: 3405691582	1
__exception__ Oct. 31, 2023, 9:15 a.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2610202 registers.esp: 12710572 registers.edi: 2842360 registers.eax: 6 registers.ebp: 1927285648 registers.edx: 0 registers.ebx: 133120 registers.esi: 0 registers.ecx: 3405691582	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (1 event)

domain

50kteam.dynamic-dns.net

Performs some HTTP requests (1 event)

request

GET http://wshsoft.company/jv/jrex.zip

Allocates read-write-execute memory (usually to unpack itself) (50 out of 149 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 31, 2023, 9:15 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004950000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 163840 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02540000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02568000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02570000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02578000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02580000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02588000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02590000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02598000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025a8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025b8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025d8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025e0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025e8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025f8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02600000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02608000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02610000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02618000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02628000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02630000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02638000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02640000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02648000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02650000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02658000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02660000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02668000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02670000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02678000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02680000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02688000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02690000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02698000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:14 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:15 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:15 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:15 a.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:15 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 163840 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02610000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:15 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02638000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:15 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02640000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:15 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02648000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 31, 2023, 9:15 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02650000 process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna2206488719288708811.dll
file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna7686053444325241709.dll

Creates a suspicious process (2 events)

cmdline	schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\ahyzzfonw.txt"
cmdline	cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\ahyzzfonw.txt"

Drops an executable to the user AppData folder (50 out of 130 events)

file	C:\Users\test22\AppData\Roaming\jre7\bin\t2k.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\api-ms-win-crt-multibyte-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\pack200.exe
file	C:\Users\test22\AppData\Roaming\jre7\bin\ssv.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\management.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\api-ms-win-crt-private-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\wsdetect.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\api-ms-win-core-errorhandling-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\jfr.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\prism_common.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\api-ms-win-core-console-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\javafx_iio.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\dt_shmem.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\nio.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\api-ms-win-core-debug-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\jjs.exe
file	C:\Users\test22\AppData\Roaming\jre7\bin\jpeg.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\w2k_lsa_auth.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\eula.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\plugin2\msvcp140.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\api-ms-win-core-datetime-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\jabswitch.exe
file	C:\Users\test22\AppData\Roaming\jre7\bin\api-ms-win-core-rtlsupport-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\npt.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\gstreamer-lite.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\jfxwebkit.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\fontmanager.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\sunmscapi.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\prism_d3d.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\javaw.exe
file	C:\Users\test22\AppData\Roaming\jre7\bin\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\jfxmedia.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\tnameserv.exe
file	C:\Users\test22\AppData\Roaming\jre7\bin\rmid.exe
file	C:\Users\test22\AppData\Roaming\jre7\bin\awt.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\kinit.exe
file	C:\Users\test22\AppData\Roaming\jre7\bin\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\dtplugin\deployJava1.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\decora_sse.dll
file	C:\Users\test22\AppData\Roaming\jre7\bin\splashscreen.dll

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 31, 2023, 9:14 a.m.	flags: 28 family: 0	1	0	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\ahyzzfonw.txt"
cmdline	cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\ahyzzfonw.txt"

Installs itself for autorun at Windows startup (6 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ahyzzfonw	reg_value	"C:\Users\test22\AppData\Roaming\ahyzzfonw.txt"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ahyzzfonw	reg_value	"C:\Users\test22\AppData\Roaming\ahyzzfonw.txt"
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ahyzzfonw.txt
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ahyzzfonw.txt
cmdline	schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\ahyzzfonw.txt"
cmdline	cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\ahyzzfonw.txt"

Uses suspicious command line tools or Windows utilities (1 event)

cmdline

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

The process java.exe wrote an executable file to disk (2 events)

file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna2206488719288708811.dll
file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna7686053444325241709.dll

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

Lionic	Trojan.Script.Agent.4!c
Skyhigh	JS/Agent.ha
ALYac	JS:Trojan.Cryxos.13219
VIPRE	JS:Trojan.Cryxos.13219
Symantec	JS.Downloader
ESET-NOD32	JS/Kryptik.CPV
Avast	Script:SNH-gen [Trj]
Kaspersky	Trojan.JS.Agent.erc
BitDefender	JS:Trojan.Cryxos.13219
NANO-Antivirus	Exploit.Script.Nemucod.dzzhbf
MicroWorld-eScan	JS:Trojan.Cryxos.13219
Tencent	Js.Trojan.Agent.Umhl
Sophos	JS/Drop-DHA
DrWeb	Trojan.Siggen21.56157
FireEye	JS:Trojan.Cryxos.13219
Emsisoft	JS:Trojan.Cryxos.13219 (B)
Ikarus	Trojan.Java.GenericGB
Google	Detected
Microsoft	TrojanDownloader:Win32/Nemucod!ml
Arcabit	JS:Trojan.Cryxos.D33A3
ZoneAlarm	Trojan.JS.Agent.erc
GData	JS:Trojan.Cryxos.13219
Varist	JS/Agent.BZP
McAfee	JS/Agent.ha
Rising	Trojan.Kryptik/JS!8.10DBE (TOPIS:E0:8FLEVXabM7O)
MAX	malware (ai score=84)
Fortinet	JS/Kryptik.CPV!tr
AVG	Script:SNH-gen [Trj]

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (13 events)

dead_host	185.222.58.83:1780
dead_host	192.168.56.101:49181
dead_host	192.168.56.101:49191
dead_host	192.168.56.101:49180
dead_host	192.168.56.101:49189
dead_host	192.168.56.101:49188
dead_host	192.168.56.101:49179
dead_host	192.168.56.101:49187
dead_host	185.222.58.83:1788
dead_host	192.168.56.101:49183
dead_host	192.168.56.101:49185
dead_host	192.168.56.101:49182
dead_host	192.168.56.101:49190

DOC757869856647.js

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All