Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 11, 2023, 4:16 p.m.	Nov. 11, 2023, 4:49 p.m.

Size	1.3MB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`76237495f1127cd3e1506ef3cdac3fbb`
SHA256	`4fb56fc91b2d13afeb1ace4a5dfc6cca15ae7da40669e059650563e24bfac063`
CRC32	`1F4EC692`
ssdeep	`24576:lobNy5HZN1AXQdGRZEb4zaqfaadDe+DfKjC9pxctSYBAiRalfw:lobQPOQdVqaadDeSfK8rDl`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format

system12.exe "C:\Users\test22\AppData\Local\Temp\system12.exe"
1872
- cmd.exe cmd /k cmd < Personnel & exit
  2192
  - cmd.exe cmd
    2236
    - tasklist.exe tasklist
      2280
    - findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      2316
    - tasklist.exe tasklist
      2424
    - findstr.exe findstr /I "wrsa.exe"
      2460
    - cmd.exe cmd /c mkdir 7460
      2532
    - cmd.exe cmd /c copy /b Recorders + Objective + Webshots + Webcast + Matthew 7460\Norm.pif
      2576
    - cmd.exe cmd /c copy /b Pounds 7460\s
      2620
    - PING.EXE ping -n 15 localhost
      2700
    - Norm.pif 7460\Norm.pif 7460\s
      2664
      - schtasks.exe schtasks.exe /create /tn "LifeSync" /tr "wscript 'C:\Users\test22\AppData\Local\LifeSync Labs Inc\LifeSync.js'" /sc onlogon /F /RL HIGHEST
        2768
      - cmd.exe cmd /c schtasks.exe /create /tn "Clip" /tr "wscript 'C:\Users\test22\AppData\Local\LifeSync Labs Inc\LifeSync.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
        2804
        
        schtasks.exe schtasks.exe /create /tn "Clip" /tr "wscript 'C:\Users\test22\AppData\Local\LifeSync Labs Inc\LifeSync.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
        2956
      - jsc.exe C:\Users\test22\AppData\Local\Temp\57192\7460\jsc.exe
        2440
      - jsc.exe C:\Users\test22\AppData\Local\Temp\57192\7460\jsc.exe
        2928

Name	Response	Post-Analysis Lookup
vUEfYlUOIJMXrZYMHgsASygLi.vUEfYlUOIJMXrZYMHgsASygLi

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 11, 2023, 4:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2023, 4:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2023, 4:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2023, 4:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 11, 2023, 4:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2023, 4:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 11, 2023, 4:17 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2023, 4:17 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (9 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 11, 2023, 4:16 p.m.			0	0
IsDebuggerPresent Nov. 11, 2023, 4:16 p.m.			0	0
IsDebuggerPresent Nov. 11, 2023, 4:16 p.m.			0	0
IsDebuggerPresent Nov. 11, 2023, 4:16 p.m.			0	0
IsDebuggerPresent Nov. 11, 2023, 4:16 p.m.			0	0
IsDebuggerPresent Nov. 11, 2023, 4:17 p.m.			0	0
IsDebuggerPresent Nov. 11, 2023, 4:17 p.m.			0	0
IsDebuggerPresent Nov. 11, 2023, 4:17 p.m.			0	0
IsDebuggerPresent Nov. 11, 2023, 4:17 p.m.			0	0

Command line console output was observed (50 out of 420 events)

Time & API	Arguments	Status	Return
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: Microsoft Windows [Version 6.1.7601] console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: Copyright (c) 2009 Microsoft Corporation. All rights reserved. console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\57192> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: Set ipZuoDpIBrjWnJfRwQGKnHmxHcErVgf=c console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\57192> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: BrvfIgZyGhPEvakgHPpDgF=JFmNZuNjOpdWGSCaBHF console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: 'BrvfIgZyGhPEvakgHPpDgF' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\57192> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: xKQlezPgmymdWDMJpBqYTwqxuc=ctvHWJMyZOgKFsnMJJZqe console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: 'xKQlezPgmymdWDMJpBqYTwqxuc' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\57192> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: SpqGGZaJctHO=prbDHpbNVURxHxgsK console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: 'SpqGGZaJctHO' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\57192> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: cCfkjHfrNNda=eRXfJkuaQEzXg console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: 'cCfkjHfrNNda' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\57192> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: jYEtsKXjjtYQQ=EcKbCKODKyFuEOE console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: 'jYEtsKXjjtYQQ' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\57192> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: Set VgXnrtpIYIjQESdScSOcUWcExIgmmkupHfoJSalmjwnUbXZR=x console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\57192> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: KLZoeZTzrcPJpNBrofJGZrIg=SbAibJvLMAxpn console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: 'KLZoeZTzrcPJpNBrofJGZrIg' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\57192> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: pQmgPKDSLazOJo=MHrLZlCajFLz console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: 'pQmgPKDSLazOJo' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\57192> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: vjiUKrAQmOSEFZMoNIZgEZSdbnwGn=JrdFcnlmtGHdjTk console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: 'vjiUKrAQmOSEFZMoNIZgEZSdbnwGn' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\57192> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: xlQpmXMyavxR=kwTsjyPhZEhYhDaGhN console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: 'xlQpmXMyavxR' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\57192> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: ydtQQfOLslhYtzrTFNZqNvTxGCkkz=myJxLuulrenzbeMFo console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: 'ydtQQfOLslhYtzrTFNZqNvTxGCkkz' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\57192> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: lKNSgMkJvKlhtCaXLofJH=NcKWCxYQHwxFwIGGQXpeJvqPYVqA console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: 'lKNSgMkJvKlhtCaXLofJH' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\57192> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: EfnXhXaoslRLGeoT=AJdysaAEhdxUYGzbmrL console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: 'EfnXhXaoslRLGeoT' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\57192> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: IOLgnnMssrzRWAxspjhXYzZGXhzD=huZvYQMYeGTFphlXDXn console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: 'IOLgnnMssrzRWAxspjhXYzZGXhzD' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\57192> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: wghPNXgOysltpT=WzxYJIziFza console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: 'wghPNXgOysltpT' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\57192> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2023, 4:16 p.m.	buffer: Set uPIzdVsvZTpIqBXSLvOcfphDoZODIuIvcooYvXUpSbtel=d console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 11, 2023, 4:16 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.itext

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (29 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 11, 2023, 4:16 p.m.	process_identifier: 1872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2023, 4:16 p.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2023, 4:17 p.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2023, 4:16 p.m.	process_identifier: 2440 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2023, 4:16 p.m.	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2023, 4:16 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2023, 4:16 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2023, 4:16 p.m.	process_identifier: 2440 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2023, 4:16 p.m.	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02390000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2023, 4:16 p.m.	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2023, 4:16 p.m.	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2023, 4:16 p.m.	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2023, 4:16 p.m.	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00425000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2023, 4:16 p.m.	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2023, 4:16 p.m.	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00427000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2023, 4:16 p.m.	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2023, 4:17 p.m.	process_identifier: 2928 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00580000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2023, 4:17 p.m.	process_identifier: 2928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2023, 4:17 p.m.	process_identifier: 2928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72841000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2023, 4:17 p.m.	process_identifier: 2928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72842000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2023, 4:17 p.m.	process_identifier: 2928 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f20000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2023, 4:17 p.m.	process_identifier: 2928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2023, 4:17 p.m.	process_identifier: 2928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2023, 4:17 p.m.	process_identifier: 2928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2023, 4:17 p.m.	process_identifier: 2928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2023, 4:17 p.m.	process_identifier: 2928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00565000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2023, 4:17 p.m.	process_identifier: 2928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2023, 4:17 p.m.	process_identifier: 2928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00567000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2023, 4:17 p.m.	process_identifier: 2928 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\LifeSync Labs Inc\LifeSync.pif
file	C:\Users\test22\AppData\Local\Temp\57192\7460\Norm.pif
file	C:\Users\test22\AppData\Local\LifeSync Labs Inc\LifeSync.js

Creates a suspicious process (3 events)

cmdline	schtasks.exe /create /tn "Clip" /tr "wscript 'C:\Users\test22\AppData\Local\LifeSync Labs Inc\LifeSync.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
cmdline	schtasks.exe /create /tn "LifeSync" /tr "wscript 'C:\Users\test22\AppData\Local\LifeSync Labs Inc\LifeSync.js'" /sc onlogon /F /RL HIGHEST
cmdline	cmd /c schtasks.exe /create /tn "Clip" /tr "wscript 'C:\Users\test22\AppData\Local\LifeSync Labs Inc\LifeSync.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\57192\7460\Norm.pif

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\57192\7460\Norm.pif
file	C:\Users\test22\AppData\Local\Temp\57192\Recorders

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (15 events)

Time & API	Arguments	Status	Return
Process32NextW Nov. 11, 2023, 4:16 p.m.	snapshot_handle: 0x0000013c process_name: mobsync.exe process_identifier: 1664	1	1
Process32NextW Nov. 11, 2023, 4:16 p.m.	snapshot_handle: 0x0000013c process_name: SearchProtocolHost.exe process_identifier: 1256	1	1
Process32NextW Nov. 11, 2023, 4:16 p.m.	snapshot_handle: 0x0000013c process_name: conhost.exe process_identifier: 300	1	1
Process32NextW Nov. 11, 2023, 4:16 p.m.	snapshot_handle: 0x0000013c process_name: SearchFilterHost.exe process_identifier: 1440	1	1
Process32NextW Nov. 11, 2023, 4:16 p.m.	snapshot_handle: 0x0000013c process_name: system12.exe process_identifier: 1872	1	1
Process32NextW Nov. 11, 2023, 4:16 p.m.	snapshot_handle: 0x0000013c process_name: conhost.exe process_identifier: 2052	1	1
Process32NextW Nov. 11, 2023, 4:16 p.m.	snapshot_handle: 0x0000013c process_name: cmd.exe process_identifier: 2236	1	1
Process32NextW Nov. 11, 2023, 4:16 p.m.	snapshot_handle: 0x0000013c process_name: Norm.pif process_identifier: 2664	1	1
Process32NextW Nov. 11, 2023, 4:16 p.m.	snapshot_handle: 0x0000013c process_name: PING.EXE process_identifier: 2700	1	1
Process32NextW Nov. 11, 2023, 4:16 p.m.	snapshot_handle: 0x00000220 process_name: svchost.exe process_identifier: 3012	1	1
Process32NextW Nov. 11, 2023, 4:16 p.m.	snapshot_handle: 0x00000220 process_name: mscorsvw.exe process_identifier: 3040	1	1
Process32NextW Nov. 11, 2023, 4:16 p.m.	snapshot_handle: 0x00000220 process_name: sppsvc.exe process_identifier: 2124	1	1
Process32NextW Nov. 11, 2023, 4:16 p.m.	snapshot_handle: 0x00000220 process_name: cmd.exe process_identifier: 2312	1	1
Process32NextW Nov. 11, 2023, 4:16 p.m.	snapshot_handle: 0x00000220 process_name: conhost.exe process_identifier: 2328	1	1
Process32NextW Nov. 11, 2023, 4:17 p.m.	snapshot_handle: 0x00000218 process_name: cmd.exe process_identifier: 2796	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 11, 2023, 4:16 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Nov. 11, 2023, 4:16 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (1 event)

url	https://docs.microsoft.com/windows/win32/fileio/maximum-file-path-limitation

Yara rule detected in process memory (18 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (7 events)

cmdline	schtasks.exe /create /tn "Clip" /tr "wscript 'C:\Users\test22\AppData\Local\LifeSync Labs Inc\LifeSync.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
cmdline	ping -n 15 localhost
cmdline	cmd /c mkdir 7460
cmdline	C:\Users\test22\AppData\Local\Temp\57192\7460\jsc.exe
cmdline	schtasks.exe /create /tn "LifeSync" /tr "wscript 'C:\Users\test22\AppData\Local\LifeSync Labs Inc\LifeSync.js'" /sc onlogon /F /RL HIGHEST
cmdline	cmd /c schtasks.exe /create /tn "Clip" /tr "wscript 'C:\Users\test22\AppData\Local\LifeSync Labs Inc\LifeSync.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
cmdline	tasklist

One or more of the buffers contains an embedded PE file (3 events)

buffer	Buffer with sha1: 601b42317c3fb90bbd1ac3ec91aa18d1ad33fd57
buffer	Buffer with sha1: eff818fe80d67355a26b79175d8a41d3e1d4ce60
buffer	Buffer with sha1: 2febc7e463b070d624864dc49070769e420eec56

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 11, 2023, 4:16 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 49152 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 process_handle: 0x00000224	1	0	0
NtProtectVirtualMemory Nov. 11, 2023, 4:17 p.m.	process_identifier: 2928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 49152 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000f0000 process_handle: 0x00000234	1	0	0

Installs itself for autorun at Windows startup (3 events)

cmdline	schtasks.exe /create /tn "Clip" /tr "wscript 'C:\Users\test22\AppData\Local\LifeSync Labs Inc\LifeSync.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
cmdline	schtasks.exe /create /tn "LifeSync" /tr "wscript 'C:\Users\test22\AppData\Local\LifeSync Labs Inc\LifeSync.js'" /sc onlogon /F /RL HIGHEST
cmdline	cmd /c schtasks.exe /create /tn "Clip" /tr "wscript 'C:\Users\test22\AppData\Local\LifeSync Labs Inc\LifeSync.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST

Expresses interest in specific running processes (3 events)

process: potential process injection target	explorer.exe
process	norm.pif
process	cmd.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2664 resumed a thread in remote process 2440
Process injection	Process 2664 resumed a thread in remote process 2928
NtResumeThread Nov. 11, 2023, 4:16 p.m.	thread_handle: 0x00000228 suspend_count: 1 process_identifier: 2440	1	0	0
NtResumeThread Nov. 11, 2023, 4:17 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2928	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (3 events)

cmdline	schtasks.exe /create /tn "Clip" /tr "wscript 'C:\Users\test22\AppData\Local\LifeSync Labs Inc\LifeSync.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
cmdline	schtasks.exe /create /tn "LifeSync" /tr "wscript 'C:\Users\test22\AppData\Local\LifeSync Labs Inc\LifeSync.js'" /sc onlogon /F /RL HIGHEST
cmdline	cmd /c schtasks.exe /create /tn "Clip" /tr "wscript 'C:\Users\test22\AppData\Local\LifeSync Labs Inc\LifeSync.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST

Executed a process and injected code into it, probably while unpacking (28 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Nov. 11, 2023, 4:16 p.m.	thread_identifier: 2196 thread_handle: 0x00000110 process_identifier: 2192 current_directory: C:\Users\test22\AppData\Local\Temp\57192 filepath: track: 1 command_line: cmd /k cmd < Personnel & exit filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000114	1	1
CreateProcessInternalW Nov. 11, 2023, 4:16 p.m.	thread_identifier: 2240 thread_handle: 0x00000088 process_identifier: 2236 current_directory: C:\Users\test22\AppData\Local\Temp\57192 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: cmd filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW Nov. 11, 2023, 4:16 p.m.	thread_identifier: 2284 thread_handle: 0x00000090 process_identifier: 2280 current_directory: C:\Users\test22\AppData\Local\Temp\57192 filepath: C:\Windows\System32\tasklist.exe track: 1 command_line: tasklist filepath_r: C:\Windows\system32\tasklist.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000098	1	1
CreateProcessInternalW Nov. 11, 2023, 4:16 p.m.	thread_identifier: 2320 thread_handle: 0x00000090 process_identifier: 2316 current_directory: C:\Users\test22\AppData\Local\Temp\57192 filepath: C:\Windows\System32\findstr.exe track: 1 command_line: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" filepath_r: C:\Windows\system32\findstr.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000a0	1	1
CreateProcessInternalW Nov. 11, 2023, 4:16 p.m.	thread_identifier: 2428 thread_handle: 0x00000098 process_identifier: 2424 current_directory: C:\Users\test22\AppData\Local\Temp\57192 filepath: C:\Windows\System32\tasklist.exe track: 1 command_line: tasklist filepath_r: C:\Windows\system32\tasklist.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW Nov. 11, 2023, 4:16 p.m.	thread_identifier: 2464 thread_handle: 0x00000098 process_identifier: 2460 current_directory: C:\Users\test22\AppData\Local\Temp\57192 filepath: C:\Windows\System32\findstr.exe track: 1 command_line: findstr /I "wrsa.exe" filepath_r: C:\Windows\system32\findstr.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000a4	1	1
CreateProcessInternalW Nov. 11, 2023, 4:16 p.m.	thread_identifier: 2536 thread_handle: 0x000000a4 process_identifier: 2532 current_directory: C:\Users\test22\AppData\Local\Temp\57192 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: cmd /c mkdir 7460 filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW Nov. 11, 2023, 4:16 p.m.	thread_identifier: 2580 thread_handle: 0x0000008c process_identifier: 2576 current_directory: C:\Users\test22\AppData\Local\Temp\57192 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: cmd /c copy /b Recorders + Objective + Webshots + Webcast + Matthew 7460\Norm.pif filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000a4	1	1
CreateProcessInternalW Nov. 11, 2023, 4:16 p.m.	thread_identifier: 2624 thread_handle: 0x000000a4 process_identifier: 2620 current_directory: C:\Users\test22\AppData\Local\Temp\57192 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: cmd /c copy /b Pounds 7460\s filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW Nov. 11, 2023, 4:16 p.m.	thread_identifier: 2668 thread_handle: 0x0000008c process_identifier: 2664 current_directory: C:\Users\test22\AppData\Local\Temp\57192 filepath: C:\Users\test22\AppData\Local\Temp\57192\7460\Norm.pif track: 1 command_line: 7460\Norm.pif 7460\s filepath_r: C:\Users\test22\AppData\Local\Temp\57192\7460\Norm.pif stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000a4	1	1
CreateProcessInternalW Nov. 11, 2023, 4:16 p.m.	thread_identifier: 2704 thread_handle: 0x000000a4 process_identifier: 2700 current_directory: C:\Users\test22\AppData\Local\Temp\57192 filepath: C:\Windows\System32\PING.EXE track: 1 command_line: ping -n 15 localhost filepath_r: C:\Windows\system32\PING.EXE stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW Nov. 11, 2023, 4:16 p.m.	thread_identifier: 2772 thread_handle: 0x0000013c process_identifier: 2768 current_directory: C:\Users\test22\AppData\Local\Temp\57192 filepath: track: 1 command_line: schtasks.exe /create /tn "LifeSync" /tr "wscript 'C:\Users\test22\AppData\Local\LifeSync Labs Inc\LifeSync.js'" /sc onlogon /F /RL HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000148	1	1
CreateProcessInternalW Nov. 11, 2023, 4:16 p.m.	thread_identifier: 2808 thread_handle: 0x0000013c process_identifier: 2804 current_directory: filepath: track: 1 command_line: cmd /c schtasks.exe /create /tn "Clip" /tr "wscript 'C:\Users\test22\AppData\Local\LifeSync Labs Inc\LifeSync.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134742016 (CREATE_NO_WINDOW\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000150	1	1
CreateProcessInternalW Nov. 11, 2023, 4:16 p.m.	thread_identifier: 2436 thread_handle: 0x00000228 process_identifier: 2440 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\57192\7460\jsc.exe filepath_r: stack_pivoted: 0 creation_flags: 134742020 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000224	1	1
NtGetContextThread Nov. 11, 2023, 4:16 p.m.	thread_handle: 0x00000228	1	0
NtAllocateVirtualMemory Nov. 11, 2023, 4:16 p.m.	process_identifier: 2440 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x000b0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000224	1	0
NtResumeThread Nov. 11, 2023, 4:16 p.m.	thread_handle: 0x00000228 suspend_count: 1 process_identifier: 2440	1	0
CreateProcessInternalW Nov. 11, 2023, 4:17 p.m.	thread_identifier: 2940 thread_handle: 0x00000190 process_identifier: 2928 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\57192\7460\jsc.exe filepath_r: stack_pivoted: 0 creation_flags: 134742020 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000234	1	1
NtGetContextThread Nov. 11, 2023, 4:17 p.m.	thread_handle: 0x00000190	1	0
NtAllocateVirtualMemory Nov. 11, 2023, 4:17 p.m.	process_identifier: 2928 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x000f0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000234	1	0
NtResumeThread Nov. 11, 2023, 4:17 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2928	1	0
CreateProcessInternalW Nov. 11, 2023, 4:16 p.m.	thread_identifier: 2960 thread_handle: 0x00000084 process_identifier: 2956 current_directory: C:\Users\test22\AppData\Local\Temp\57192 filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: schtasks.exe /create /tn "Clip" /tr "wscript 'C:\Users\test22\AppData\Local\LifeSync Labs Inc\LifeSync.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
NtResumeThread Nov. 11, 2023, 4:16 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2440	1	0
NtResumeThread Nov. 11, 2023, 4:16 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2440	1	0
NtResumeThread Nov. 11, 2023, 4:16 p.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2440	1	0
NtResumeThread Nov. 11, 2023, 4:17 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2928	1	0
NtResumeThread Nov. 11, 2023, 4:17 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2928	1	0
NtResumeThread Nov. 11, 2023, 4:17 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2928	1	0

system12.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All