Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 7, 2024, 9:28 a.m.	June 7, 2024, 9:36 a.m.

Size	591.6KB
Type	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5	`9c4b350eb7315c2f6f4b2eb64bccd918`
SHA256	`a3474b0f77b365c5bb21ee74a83575788f6009263c725c592cfef674e22915d4`
CRC32	`99BB83E7`
ssdeep	`12288:LZxxAYeicWjZSvFNlHXOBDLFo/uL4dbV1I2DmzDy7VS04tP:LPxLgWlMJHXOBDLFUdbV1I2DV79G`
Yara	IsPE64 - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature

Tlcf4ubbOhvrFYkon.exe "C:\Users\test22\AppData\Local\Temp\Tlcf4ubbOhvrFYkon.exe"
1648
- iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2616

Name	Response	Post-Analysis Lookup
www.eshopkhaliji.store	A 158.176.194.183 A 141.125.157.19 A 158.176.192.52 A 141.125.104.208	158.176.194.183
www.caxars.store	CNAME caxars.store A 91.184.0.200	91.184.0.200
www.shopadamsstore.com	CNAME d051d6-2.myshopify.com CNAME shops.myshopify.com A 23.227.38.74	23.227.38.74
www.kampspacex.com

IP Address	Status	Action
141.125.157.19	Active	Moloch
164.124.101.2	Active	Moloch
23.227.38.74	Active	Moloch
91.184.0.200	Active	Moloch
45.33.6.223	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49168 -> 91.184.0.200:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 23.227.38.74:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 141.125.157.19:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 23.227.38.74:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 141.125.157.19:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 7, 2024, 9:21 a.m.			0	0
IsDebuggerPresent June 7, 2024, 9:21 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey June 7, 2024, 9:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000003d6550 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 7, 2024, 9:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000003d68d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 7, 2024, 9:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000003d68d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 7, 2024, 9:21 a.m.		1	1	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 7, 2024, 9:21 a.m.	stacktrace: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 @ 0x777840f2 EtwEnumerateProcessRegGuids+0x216 RtlTraceDatabaseLock-0x2a ntdll+0xc4736 @ 0x77784736 RtlQueryProcessLockInformation+0x972 RtlTraceDatabaseEnumerate-0xe ntdll+0xc5942 @ 0x77785942 RtlLogStackBackTrace+0x444 RtlTraceDatabaseCreate-0x4ec ntdll+0xc75f4 @ 0x777875f4 RtlIsDosDeviceName_U+0x1420f NtdllDialogWndProc_A-0x1a55d ntdll+0x6dc8f @ 0x7772dc8f LocalFree+0x32 LocalAlloc-0x2e kernelbase+0x1582 @ 0x7fefdbf1582 mscorlib+0x56df08 @ 0x7fef24bdf08 mscorlib+0x4705ad @ 0x7fef23c05ad CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef35ff713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef35ff242 StrongNameTokenFromPublicKey+0x50f2 SetRuntimeInfo-0x3684e clr+0x9b042 @ 0x7fef364b042 StrongNameTokenFromPublicKey+0x4e33 SetRuntimeInfo-0x36b0d clr+0x9ad83 @ 0x7fef364ad83 mscorlib+0x563bfc @ 0x7fef24b3bfc mscorlib+0x486001 @ 0x7fef23d6001 0x7fe93f6d695 0x7fe93f6cf2b 0x7fe93f6c6df 0x7fe93f68d7d 0x7fe93f689f4 0x7fe93f6806d 0x7fe93f6521c 0x7fe93f819d4 0x7fe93f80ddf CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef35ff713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef35ff242 StrongNameTokenFromPublicKey+0x50f2 SetRuntimeInfo-0x3684e clr+0x9b042 @ 0x7fef364b042 StrongNameTokenFromPublicKey+0x4e33 SetRuntimeInfo-0x36b0d clr+0x9ad83 @ 0x7fef364ad83 mscorlib+0x563c95 @ 0x7fef24b3c95 mscorlib+0x486001 @ 0x7fef23d6001 0x7fe93f6d695 0x7fe93f6cf2b 0x7fe93f6c6df 0x7fe93f68d7d 0x7fe93f689f4 0x7fe93f6806d 0x7fe93f6521c 0x7fe93f7b2c2 CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef35ff713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef35ff242 StrongNameTokenFromPublicKey+0x50f2 SetRuntimeInfo-0x3684e clr+0x9b042 @ 0x7fef364b042 StrongNameTokenFromPublicKey+0x4e33 SetRuntimeInfo-0x36b0d clr+0x9ad83 @ 0x7fef364ad83 mscorlib+0x563c95 @ 0x7fef24b3c95 mscorlib+0x486001 @ 0x7fef23d6001 mscorlib+0x48c543 @ 0x7fef23dc543 CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef35ff713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef35ff242 StrongNameTokenFromPublicKey+0x50f2 SetRuntimeInfo-0x3684e clr+0x9b042 @ 0x7fef364b042 StrongNameTokenFromPublicKey+0x4e33 SetRuntimeInfo-0x36b0d clr+0x9ad83 @ 0x7fef364ad83 mscorlib+0x563bfc @ 0x7fef24b3bfc mscorlib+0x486001 @ 0x7fef23d6001 microsoft+0x786c6 @ 0x7feef0d86c6 microsoft+0x607a7 @ 0x7feef0c07a7 microsoft+0x5fe83 @ 0x7feef0bfe83 microsoft+0x1f9daf @ 0x7feef259daf CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef35ff713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef35ff242 StrongNameTokenFromPublicKey+0x50f2 SetRuntimeInfo-0x3684e clr+0x9b042 @ 0x7fef364b042 StrongNameTokenFromPublicKey+0x4e33 SetRuntimeInfo-0x36b0d clr+0x9ad83 @ 0x7fef364ad83 mscorlib+0x563bfc @ 0x7fef24b3bfc mscorlib+0x486001 @ 0x7fef23d6001 0x7fe93f63e9e 0x7fe93f61f14 system+0x28162b @ 0x7fef13f162b 0x7fe93f60450 exception.instruction_r: eb 00 48 8b 9c 24 d0 00 00 00 48 81 c4 c0 00 00 exception.symbol: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 exception.instruction: jmp 0x777840f4 exception.module: ntdll.dll exception.exception_code: 0xc0000374 exception.offset: 803058 exception.address: 0x777840f2 registers.r14: 2158344 registers.r15: 4 registers.rcx: 2140864 registers.rsi: 2158216 registers.r10: 0 registers.rbx: 37372480 registers.rsp: 2157856 registers.r11: 646 registers.r8: 7618582802661553819 registers.r9: 566285442 registers.rdx: 2004857936 registers.r12: 0 registers.rbp: 2157936 registers.rdi: 2158640 registers.rax: 2002698182 registers.r13: 2158688	1	0	0
__exception__ June 7, 2024, 9:21 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdbfa49d PreBindAssemblyEx+0x35208 CreateHistoryReader-0x3da5c clr+0x137ffc @ 0x7fef36e7ffc PreBindAssemblyEx+0x35256 CreateHistoryReader-0x3da0e clr+0x13804a @ 0x7fef36e804a PreBindAssemblyEx+0x35261 CreateHistoryReader-0x3da03 clr+0x138055 @ 0x7fef36e8055 0x7fe93f600b8 CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef35ff713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef35ff242 CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef35ff30b _CorExeMain+0x335c ClrCreateManagedInstance-0x15ae4 clr+0x1e721c @ 0x7fef379721c _CorExeMain+0x3ab6 ClrCreateManagedInstance-0x1538a clr+0x1e7976 @ 0x7fef3797976 _CorExeMain+0x39b0 ClrCreateManagedInstance-0x15490 clr+0x1e7870 @ 0x7fef3797870 _CorExeMain+0x3526 ClrCreateManagedInstance-0x1591a clr+0x1e73e6 @ 0x7fef37973e6 _CorExeMain+0x347e ClrCreateManagedInstance-0x159c2 clr+0x1e733e @ 0x7fef379733e _CorExeMain+0x14 ClrCreateManagedInstance-0x18e2c clr+0x1e3ed4 @ 0x7fef3793ed4 _CorExeMain+0x5d CLRCreateInstance-0x2bd3 mscoreei+0x74e5 @ 0x7fef3f974e5 _CorExeMain+0x69 ND_RU1-0x1707 mscoree+0x5b21 @ 0x7fef4035b21 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0xc0000374 exception.offset: 42141 exception.address: 0x7fefdbfa49d registers.r14: 0 registers.r15: 0 registers.rcx: 2154640 registers.rsi: 0 registers.r10: 8789985460408 registers.rbx: 0 registers.rsp: 2161728 registers.r11: 2156256 registers.r8: 0 registers.r9: 0 registers.rdx: 8791592903568 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 2002712054 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 7, 2024, 9:21 a.m.

stacktrace:

RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 @ 0x777840f2
EtwEnumerateProcessRegGuids+0x216 RtlTraceDatabaseLock-0x2a ntdll+0xc4736 @ 0x77784736
RtlQueryProcessLockInformation+0x972 RtlTraceDatabaseEnumerate-0xe ntdll+0xc5942 @ 0x77785942
RtlLogStackBackTrace+0x444 RtlTraceDatabaseCreate-0x4ec ntdll+0xc75f4 @ 0x777875f4
RtlIsDosDeviceName_U+0x1420f NtdllDialogWndProc_A-0x1a55d ntdll+0x6dc8f @ 0x7772dc8f
LocalFree+0x32 LocalAlloc-0x2e kernelbase+0x1582 @ 0x7fefdbf1582
mscorlib+0x56df08 @ 0x7fef24bdf08
mscorlib+0x4705ad @ 0x7fef23c05ad
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef35ff713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef35ff242
StrongNameTokenFromPublicKey+0x50f2 SetRuntimeInfo-0x3684e clr+0x9b042 @ 0x7fef364b042
StrongNameTokenFromPublicKey+0x4e33 SetRuntimeInfo-0x36b0d clr+0x9ad83 @ 0x7fef364ad83
mscorlib+0x563bfc @ 0x7fef24b3bfc
mscorlib+0x486001 @ 0x7fef23d6001
0x7fe93f6d695
0x7fe93f6cf2b
0x7fe93f6c6df
0x7fe93f68d7d
0x7fe93f689f4
0x7fe93f6806d
0x7fe93f6521c
0x7fe93f819d4
0x7fe93f80ddf
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef35ff713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef35ff242
StrongNameTokenFromPublicKey+0x50f2 SetRuntimeInfo-0x3684e clr+0x9b042 @ 0x7fef364b042
StrongNameTokenFromPublicKey+0x4e33 SetRuntimeInfo-0x36b0d clr+0x9ad83 @ 0x7fef364ad83
mscorlib+0x563c95 @ 0x7fef24b3c95
mscorlib+0x486001 @ 0x7fef23d6001
0x7fe93f6d695
0x7fe93f6cf2b
0x7fe93f6c6df
0x7fe93f68d7d
0x7fe93f689f4
0x7fe93f6806d
0x7fe93f6521c
0x7fe93f7b2c2
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef35ff713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef35ff242
StrongNameTokenFromPublicKey+0x50f2 SetRuntimeInfo-0x3684e clr+0x9b042 @ 0x7fef364b042
StrongNameTokenFromPublicKey+0x4e33 SetRuntimeInfo-0x36b0d clr+0x9ad83 @ 0x7fef364ad83
mscorlib+0x563c95 @ 0x7fef24b3c95
mscorlib+0x486001 @ 0x7fef23d6001
mscorlib+0x48c543 @ 0x7fef23dc543
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef35ff713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef35ff242
StrongNameTokenFromPublicKey+0x50f2 SetRuntimeInfo-0x3684e clr+0x9b042 @ 0x7fef364b042
StrongNameTokenFromPublicKey+0x4e33 SetRuntimeInfo-0x36b0d clr+0x9ad83 @ 0x7fef364ad83
mscorlib+0x563bfc @ 0x7fef24b3bfc
mscorlib+0x486001 @ 0x7fef23d6001
microsoft+0x786c6 @ 0x7feef0d86c6
microsoft+0x607a7 @ 0x7feef0c07a7
microsoft+0x5fe83 @ 0x7feef0bfe83
microsoft+0x1f9daf @ 0x7feef259daf
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef35ff713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef35ff242
StrongNameTokenFromPublicKey+0x50f2 SetRuntimeInfo-0x3684e clr+0x9b042 @ 0x7fef364b042
StrongNameTokenFromPublicKey+0x4e33 SetRuntimeInfo-0x36b0d clr+0x9ad83 @ 0x7fef364ad83
mscorlib+0x563bfc @ 0x7fef24b3bfc
mscorlib+0x486001 @ 0x7fef23d6001
0x7fe93f63e9e
0x7fe93f61f14
system+0x28162b @ 0x7fef13f162b
0x7fe93f60450

exception.instruction_r: eb 00 48 8b 9c 24 d0 00 00 00 48 81 c4 c0 00 00
exception.symbol: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2
exception.instruction: jmp 0x777840f4
exception.module: ntdll.dll
exception.exception_code: 0xc0000374
exception.offset: 803058
exception.address: 0x777840f2
registers.r14: 2158344
registers.r15: 4
registers.rcx: 2140864
registers.rsi: 2158216
registers.r10: 0
registers.rbx: 37372480
registers.rsp: 2157856
registers.r11: 646
registers.r8: 7618582802661553819
registers.r9: 566285442
registers.rdx: 2004857936
registers.r12: 0
registers.rbp: 2157936
registers.rdi: 2158640
registers.rax: 2002698182
registers.r13: 2158688

__exception__

June 7, 2024, 9:21 a.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdbfa49d
PreBindAssemblyEx+0x35208 CreateHistoryReader-0x3da5c clr+0x137ffc @ 0x7fef36e7ffc
PreBindAssemblyEx+0x35256 CreateHistoryReader-0x3da0e clr+0x13804a @ 0x7fef36e804a
PreBindAssemblyEx+0x35261 CreateHistoryReader-0x3da03 clr+0x138055 @ 0x7fef36e8055
0x7fe93f600b8
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef35ff713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef35ff242
CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef35ff30b
_CorExeMain+0x335c ClrCreateManagedInstance-0x15ae4 clr+0x1e721c @ 0x7fef379721c
_CorExeMain+0x3ab6 ClrCreateManagedInstance-0x1538a clr+0x1e7976 @ 0x7fef3797976
_CorExeMain+0x39b0 ClrCreateManagedInstance-0x15490 clr+0x1e7870 @ 0x7fef3797870
_CorExeMain+0x3526 ClrCreateManagedInstance-0x1591a clr+0x1e73e6 @ 0x7fef37973e6
_CorExeMain+0x347e ClrCreateManagedInstance-0x159c2 clr+0x1e733e @ 0x7fef379733e
_CorExeMain+0x14 ClrCreateManagedInstance-0x18e2c clr+0x1e3ed4 @ 0x7fef3793ed4
_CorExeMain+0x5d CLRCreateInstance-0x2bd3 mscoreei+0x74e5 @ 0x7fef3f974e5
_CorExeMain+0x69 ND_RU1-0x1707 mscoree+0x5b21 @ 0x7fef4035b21
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000374
exception.offset: 42141
exception.address: 0x7fefdbfa49d
registers.r14: 0
registers.r15: 0
registers.rcx: 2154640
registers.rsi: 0
registers.r10: 8789985460408
registers.rbx: 0
registers.rsp: 2161728
registers.r11: 2156256
registers.r8: 0
registers.r9: 0
registers.rdx: 8791592903568
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 2002712054
registers.r13: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.eshopkhaliji.store/muti/?8p=PenW7MtlXSrvxOPA1PJj8U2jUUvXlhwVh1FpwKQCNXiCStQ1MIBfQTqa3m2cpudHTvQpU++Q&4h=vTxdQD-PSRspeX7&sql=1
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.caxars.store/muti/?8p=vAkEv8VlD6HvoJ7OTZ3UyhPmsIwewVN5MI8wV+ea/g1itgmvOaYSZ0nMfK3GudfMXpkuz2fr&4h=vTxdQD-PSRspeX7&sql=1
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.shopadamsstore.com/muti/?8p=rUMPbDi9V+hLkBWFtVE1y7T4O5kE79Gi8Nwpb3xjlkSgEF4tpwDWlQ4hDt2c39K6jtdDQHz5&4h=vTxdQD-PSRspeX7&sql=1

Performs some HTTP requests (6 events)

request	GET http://www.eshopkhaliji.store/muti/?8p=PenW7MtlXSrvxOPA1PJj8U2jUUvXlhwVh1FpwKQCNXiCStQ1MIBfQTqa3m2cpudHTvQpU++Q&4h=vTxdQD-PSRspeX7&sql=1
request	POST http://www.eshopkhaliji.store/muti/
request	GET http://www.caxars.store/muti/?8p=vAkEv8VlD6HvoJ7OTZ3UyhPmsIwewVN5MI8wV+ea/g1itgmvOaYSZ0nMfK3GudfMXpkuz2fr&4h=vTxdQD-PSRspeX7&sql=1
request	POST http://www.caxars.store/muti/
request	GET http://www.shopadamsstore.com/muti/?8p=rUMPbDi9V+hLkBWFtVE1y7T4O5kE79Gi8Nwpb3xjlkSgEF4tpwDWlQ4hDt2c39K6jtdDQHz5&4h=vTxdQD-PSRspeX7&sql=1
request	POST http://www.shopadamsstore.com/muti/

Sends data using the HTTP POST Method (3 events)

request	POST http://www.eshopkhaliji.store/muti/
request	POST http://www.caxars.store/muti/
request	POST http://www.shopadamsstore.com/muti/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 127 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000007f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c4b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000650000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000660000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e3a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93eec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f16000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ef0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e4c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e4a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e5b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e8c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e5d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e4b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fa1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e3b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fa2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f61000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fa3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fa4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fa5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fa6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 1648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fa7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Creates a suspicious process (1 event)

cmdline

C:\Windows\System32\cmd.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 7, 2024, 9:21 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW June 7, 2024, 9:28 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	Used Formbook[m]	rule	Win_Trojan_Formbook_m_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
cmdline	C:\Program Files (x86)\Internet Explorer\iexplore.exe

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: dee287e4a2ca80dd1c5d1e200f92d78acddf83ed

Communicates with host for which no DNS query was performed (1 event)

host

45.33.6.223

Allocates execute permission to another process indicative of possible code injection (5 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 2380 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000260	1	0
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 2480 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000268		-1073741800
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 2544 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000270		-1073741800
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 2580 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000280	1	0
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 2616 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000288	1	0

Manipulates memory of a non-child process indicative of process injection (12 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1648 manipulating memory of non-child process 2380
Process injection	Process 1648 manipulating memory of non-child process 2480
Process injection	Process 1648 manipulating memory of non-child process 2544
Process injection	Process 1648 manipulating memory of non-child process 2580
NtUnmapViewOfSection June 7, 2024, 9:21 a.m.	base_address: 0x0000000000400000 region_size: 389120 process_identifier: 2380 process_handle: 0x0000000000000260	1	0	0
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 2380 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000260	1	0	0
NtUnmapViewOfSection June 7, 2024, 9:21 a.m.	base_address: 0x0000000000400000 region_size: 245760 process_identifier: 2480 process_handle: 0x0000000000000268		-1073741799	0
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 2480 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000268		-1073741800	0
NtUnmapViewOfSection June 7, 2024, 9:21 a.m.	base_address: 0x0000000000400000 region_size: 1884160 process_identifier: 2544 process_handle: 0x0000000000000270		-1073741799	0
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 2544 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000270		-1073741800	0
NtUnmapViewOfSection June 7, 2024, 9:21 a.m.	base_address: 0x0000000000400000 region_size: 1242824704 process_identifier: 2580 process_handle: 0x0000000000000280		-1073741799	0
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 2580 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000280	1	0	0

Potential code injection by writing to the memory of another process (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1648 injected into non-child 2380
Process injection	Process 1648 injected into non-child 2580
WriteProcessMemory June 7, 2024, 9:21 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿáÀº´ Í!¸LÍ!This program cannot be run in DOS mode. $«üêïf¹ïf¹ïf¹ôÍ¹©f¹ôø¹ìf¹ôû¹îf¹Richïf¹PEL¶Ä>à Òpðð@ð@.textÔÐÒ ` base_address: 0x0000000000400000 process_identifier: 2380 process_handle: 0x0000000000000260	1	1	0
WriteProcessMemory June 7, 2024, 9:21 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿáÀº´ Í!¸LÍ!This program cannot be run in DOS mode. $«üêïf¹ïf¹ïf¹ôÍ¹©f¹ôø¹ìf¹ôû¹îf¹Richïf¹PEL¶Ä>à Òpðð@ð@.textÔÐÒ ` base_address: 0x0000000000400000 process_identifier: 2580 process_handle: 0x0000000000000280	1	1	0
WriteProcessMemory June 7, 2024, 9:21 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿáÀº´ Í!¸LÍ!This program cannot be run in DOS mode. $«üêïf¹ïf¹ïf¹ôÍ¹©f¹ôø¹ìf¹ôû¹îf¹Richïf¹PEL¶Ä>à Òpðð@ð@.textÔÐÒ ` base_address: 0x0000000000400000 process_identifier: 2616 process_handle: 0x0000000000000288	1	1	0
WriteProcessMemory June 7, 2024, 9:21 a.m.	buffer: @ base_address: 0x000000007efde008 process_identifier: 2616 process_handle: 0x0000000000000288	1	1	0

Code injection by writing an executable or DLL to the memory of another process (5 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1648 injected into non-child 2380
Process injection	Process 1648 injected into non-child 2580
WriteProcessMemory June 7, 2024, 9:21 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿáÀº´ Í!¸LÍ!This program cannot be run in DOS mode. $«üêïf¹ïf¹ïf¹ôÍ¹©f¹ôø¹ìf¹ôû¹îf¹Richïf¹PEL¶Ä>à Òpðð@ð@.textÔÐÒ ` base_address: 0x0000000000400000 process_identifier: 2380 process_handle: 0x0000000000000260	1	1	0
WriteProcessMemory June 7, 2024, 9:21 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿáÀº´ Í!¸LÍ!This program cannot be run in DOS mode. $«üêïf¹ïf¹ïf¹ôÍ¹©f¹ôø¹ìf¹ôû¹îf¹Richïf¹PEL¶Ä>à Òpðð@ð@.textÔÐÒ ` base_address: 0x0000000000400000 process_identifier: 2580 process_handle: 0x0000000000000280	1	1	0
WriteProcessMemory June 7, 2024, 9:21 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿáÀº´ Í!¸LÍ!This program cannot be run in DOS mode. $«üêïf¹ïf¹ïf¹ôÍ¹©f¹ôø¹ìf¹ôû¹îf¹Richïf¹PEL¶Ä>à Òpðð@ð@.textÔÐÒ ` base_address: 0x0000000000400000 process_identifier: 2616 process_handle: 0x0000000000000288	1	1	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1648 resumed a thread in remote process 2616
NtResumeThread June 7, 2024, 9:21 a.m.	thread_handle: 0x000000000000028c suspend_count: 1 process_identifier: 2616	1	0	0

Executed a process and injected code into it, probably while unpacking (32 events)

Time & API	Arguments	Status	Return
NtResumeThread June 7, 2024, 9:21 a.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 1648	1	0
NtResumeThread June 7, 2024, 9:21 a.m.	thread_handle: 0x0000000000000138 suspend_count: 1 process_identifier: 1648	1	0
NtResumeThread June 7, 2024, 9:21 a.m.	thread_handle: 0x000000000000017c suspend_count: 1 process_identifier: 1648	1	0
NtResumeThread June 7, 2024, 9:21 a.m.	thread_handle: 0x0000000000000238 suspend_count: 1 process_identifier: 1648	1	0
CreateProcessInternalW June 7, 2024, 9:21 a.m.	thread_identifier: 2384 thread_handle: 0x0000000000000264 process_identifier: 2380 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000260	1	1
NtUnmapViewOfSection June 7, 2024, 9:21 a.m.	base_address: 0x0000000000400000 region_size: 389120 process_identifier: 2380 process_handle: 0x0000000000000260	1	0
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 2380 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000260	1	0
WriteProcessMemory June 7, 2024, 9:21 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿáÀº´ Í!¸LÍ!This program cannot be run in DOS mode. $«üêïf¹ïf¹ïf¹ôÍ¹©f¹ôø¹ìf¹ôû¹îf¹Richïf¹PEL¶Ä>à Òpðð@ð@.textÔÐÒ ` base_address: 0x0000000000400000 process_identifier: 2380 process_handle: 0x0000000000000260	1	1
WriteProcessMemory June 7, 2024, 9:21 a.m.	buffer: base_address: 0x0000000000401000 process_identifier: 2380 process_handle: 0x0000000000000260	1	1
WriteProcessMemory June 7, 2024, 9:21 a.m.	buffer: base_address: 0xfffffffffffde008 process_identifier: 2380 process_handle: 0x0000000000000260		0
CreateProcessInternalW June 7, 2024, 9:21 a.m.	thread_identifier: 2484 thread_handle: 0x000000000000026c process_identifier: 2480 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000268	1	1
NtUnmapViewOfSection June 7, 2024, 9:21 a.m.	base_address: 0x0000000000400000 region_size: 245760 process_identifier: 2480 process_handle: 0x0000000000000268		-1073741799
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 2480 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000268		-1073741800
WriteProcessMemory June 7, 2024, 9:21 a.m.	buffer: base_address: 0x0000000000000000 process_identifier: 2480 process_handle: 0x0000000000000268		0
CreateProcessInternalW June 7, 2024, 9:21 a.m.	thread_identifier: 0 thread_handle: 0x0000000000000000 process_identifier: 0 current_directory: filepath: C:\Program Files (x86)\Windows Media Player\wmplayer.exe track: 0 command_line: filepath_r: C:\Program Files (x86)\Windows Media Player\wmplayer.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000000		0
CreateProcessInternalW June 7, 2024, 9:21 a.m.	thread_identifier: 2548 thread_handle: 0x0000000000000274 process_identifier: 2544 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000270	1	1
NtUnmapViewOfSection June 7, 2024, 9:21 a.m.	base_address: 0x0000000000400000 region_size: 1884160 process_identifier: 2544 process_handle: 0x0000000000000270		-1073741799
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 2544 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000270		-1073741800
WriteProcessMemory June 7, 2024, 9:21 a.m.	buffer: base_address: 0x0000000000000000 process_identifier: 2544 process_handle: 0x0000000000000270		0
CreateProcessInternalW June 7, 2024, 9:21 a.m.	thread_identifier: 2584 thread_handle: 0x0000000000000284 process_identifier: 2580 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000280	1	1
NtUnmapViewOfSection June 7, 2024, 9:21 a.m.	base_address: 0x0000000000400000 region_size: 1242824704 process_identifier: 2580 process_handle: 0x0000000000000280		-1073741799
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 2580 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000280	1	0
WriteProcessMemory June 7, 2024, 9:21 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿáÀº´ Í!¸LÍ!This program cannot be run in DOS mode. $«üêïf¹ïf¹ïf¹ôÍ¹©f¹ôø¹ìf¹ôû¹îf¹Richïf¹PEL¶Ä>à Òpðð@ð@.textÔÐÒ ` base_address: 0x0000000000400000 process_identifier: 2580 process_handle: 0x0000000000000280	1	1
WriteProcessMemory June 7, 2024, 9:21 a.m.	buffer: base_address: 0x0000000000401000 process_identifier: 2580 process_handle: 0x0000000000000280	1	1
CreateProcessInternalW June 7, 2024, 9:21 a.m.	thread_identifier: 2620 thread_handle: 0x000000000000028c process_identifier: 2616 current_directory: filepath: C:\Program Files (x86)\Internet Explorer\iexplore.exe track: 1 command_line: filepath_r: C:\Program Files (x86)\Internet Explorer\iexplore.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000288	1	1
NtUnmapViewOfSection June 7, 2024, 9:21 a.m.	base_address: 0x0000000000400000 region_size: 15073280 process_identifier: 2616 process_handle: 0x0000000000000288		-1073741799
NtAllocateVirtualMemory June 7, 2024, 9:21 a.m.	process_identifier: 2616 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000288	1	0
WriteProcessMemory June 7, 2024, 9:21 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿáÀº´ Í!¸LÍ!This program cannot be run in DOS mode. $«üêïf¹ïf¹ïf¹ôÍ¹©f¹ôø¹ìf¹ôû¹îf¹Richïf¹PEL¶Ä>à Òpðð@ð@.textÔÐÒ ` base_address: 0x0000000000400000 process_identifier: 2616 process_handle: 0x0000000000000288	1	1
WriteProcessMemory June 7, 2024, 9:21 a.m.	buffer: base_address: 0x0000000000401000 process_identifier: 2616 process_handle: 0x0000000000000288	1	1
WriteProcessMemory June 7, 2024, 9:21 a.m.	buffer: @ base_address: 0x000000007efde008 process_identifier: 2616 process_handle: 0x0000000000000288	1	1
NtResumeThread June 7, 2024, 9:21 a.m.	thread_handle: 0x000000000000028c suspend_count: 1 process_identifier: 2616	1	0
CreateProcessInternalW June 7, 2024, 9:21 a.m.	thread_identifier: 2680 thread_handle: 0x0000000000000294 process_identifier: 2676 current_directory: filepath: C:\Program Files (x86)\Internet Explorer\iexplore.exe track: 1 command_line: filepath_r: C:\Program Files (x86)\Internet Explorer\iexplore.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000290	1	1

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Bkav	W64.AIDetectMalware.CS
Lionic	Trojan.Win32.Noon.l!c
Cynet	Malicious (score: 99)
Skyhigh	Artemis!Trojan
ALYac	Gen:Variant.MSILHeracles.167115
Cylance	Unsafe
VIPRE	Gen:Variant.MSILHeracles.167115
Sangfor	Spyware.Msil.Kryptik.Vq2c
BitDefender	Gen:Variant.MSILHeracles.167115
Arcabit	Trojan.MSILHeracles.D28CCB
VirIT	Trojan.Win32.GenusT.DWZV
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Kryptik.ALSY
APEX	Malicious
McAfee	Artemis!9C4B350EB731
Avast	Win64:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan-Spy.MSIL.Noon.gen
Alibaba	TrojanSpy:MSIL/Kryptik.fe397c34
MicroWorld-eScan	Gen:Variant.MSILHeracles.167115
Rising	Malware.Obfus/MSIL@AI.100 (RDM.MSIL2:5sAHyuBqZsX+LmVvSivPRg)
Emsisoft	Gen:Variant.MSILHeracles.167115 (B)
F-Secure	Trojan.TR/AD.Swotter.vauzj
McAfeeD	ti!A3474B0F77B3
FireEye	Gen:Variant.MSILHeracles.167115
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Inject
Google	Detected
Avira	TR/AD.Swotter.vauzj
MAX	malware (ai score=82)
Kingsoft	MSIL.Trojan-Spy.Noon.gen
Microsoft	Trojan:Win32/FormBook.AFB!MTB
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Noon.gen
GData	Gen:Variant.MSILHeracles.167115
Varist	W64/MSIL_Agent.IDY.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.C5431166
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.1257429347
Panda	Trj/Chgt.AD
MaxSecure	Trojan.Malware.73691310.susgen
Fortinet	W32/Malicious_Behavior.SBX
AVG	Win64:PWSX-gen [Trj]
Paloalto	generic.ml

Tlcf4ubbOhvrFYkon.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All