Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 16, 2024, 11:06 a.m.	Oct. 16, 2024, 11:13 a.m.

Size	1.8MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`d44e2b02979b3331e0eb2fab9e96196e`
SHA256	`22fb4c9c67ccdfcd03136a651aaa697c448d86f2a156bd4ef0113adfc2948635`
CRC32	`AACADBFC`
ssdeep	`24576:aoqNaMikG4YtrhhdMS3HjaTJTO3eVq5ZzSicg9Z/On7DMNAnB7IbKn1o3wtjW0cV:TvA+qU2Ju5zf0PIW1oS2`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

service.exe "C:\Users\test22\AppData\Local\Temp\service.exe"
840
- service.exe 1 C:\Users\test22\AppData\Local\Temp\255132002555.ps1 C:\Users\test22\AppData\Local\Temp\435534154234324.txt
  1280
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ExecutionPolicy RemoteSigned -Scope Process -Force -Confirm:$false;$PSDefaultParameterValues = @{'Out-File:Encoding' = 'utf8'}; " C:\Users\test22\AppData\Local\Temp\15002164.ps1" | Out-File -encoding UTF8 "C:\Users\test22\AppData\Local\Temp\42412566645505.txt"
  2780
explorer.exe C:\Windows\Explorer.EXE
1236
- powershell.exe powershell.exe Set-ExecutionPolicy RemoteSigned -Scope Process -Force -Confirm:$false;$PSDefaultParameterValues = @{'Out-File:Encoding' = 'utf8'}; " C:\Users\test22\AppData\Local\Temp\255132002555.ps1" | Out-File -encoding UTF8 "C:\Users\test22\AppData\Local\Temp\435534154234324.txt"
  2212

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
178.156.131.83	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (16 events)

Time & API	Arguments	Status	Return
GetComputerNameA Oct. 16, 2024, 10:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 16, 2024, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 16, 2024, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 11:07 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 11:07 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 11:07 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 11:07 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 16, 2024, 11:07 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 11:07 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 11:07 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 11:07 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 16, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Oct. 16, 2024, 11:07 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (50 out of 96 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000032f920 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f7f30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f7f30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f7f30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f7bb0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f7bb0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f7b40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f7b40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f7b40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f7b40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f8470 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f8470 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f8470 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f8240 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f8240 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f8240 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f8320 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f8320 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f8320 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f8320 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f8320 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f8320 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f8320 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f8320 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f88d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f88d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f88d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f8240 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f8240 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f8a20 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f8a20 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f8240 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f8240 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f8240 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1e0d60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1e0d60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1e0d60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1e0d60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2252b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2252b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b225630 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b225630 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b236f30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b236fa0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b237010 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b236fa0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b236fa0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f8240 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f8240 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b1f8240 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 16, 2024, 10:59 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 360 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 16, 2024, 10:58 a.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c40000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004910000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 region_size: 2490368 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002640000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef382e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef382e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef382f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef382f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef382f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef382f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef382f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef382f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef382f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef382f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3830000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3830000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3830000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3830000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3830000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3831000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3831000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3831000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3831000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef382e000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00022000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00012000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002822000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002824000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00023000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00024000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00112000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00025000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00160000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00013000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00026000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00113000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0001a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

service.exe tried to sleep 226 seconds, actually delayed analysis time by 185 seconds

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\launcher.lnk
file	C:\Users\test22\AppData\Local\Temp\255132002555.ps1
file	C:\Users\test22\AppData\Local\Temp\15002164.ps1

Creates a shortcut to an executable file (3 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\launcher.lnk
file	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	powershell.exe Set-ExecutionPolicy RemoteSigned -Scope Process -Force -Confirm:$false;$PSDefaultParameterValues = @{'Out-File:Encoding' = 'utf8'}; " C:\Users\test22\AppData\Local\Temp\255132002555.ps1" \| Out-File -encoding UTF8 "C:\Users\test22\AppData\Local\Temp\435534154234324.txt"
cmdline	powershell.exe Set-ExecutionPolicy RemoteSigned -Scope Process -Force -Confirm:$false;$PSDefaultParameterValues = @{'Out-File:Encoding' = 'utf8'}; " C:\Users\test22\AppData\Local\Temp\15002164.ps1" \| Out-File -encoding UTF8 "C:\Users\test22\AppData\Local\Temp\42412566645505.txt"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ExecutionPolicy RemoteSigned -Scope Process -Force -Confirm:$false;$PSDefaultParameterValues = @{'Out-File:Encoding' = 'utf8'}; " C:\Users\test22\AppData\Local\Temp\15002164.ps1" \| Out-File -encoding UTF8 "C:\Users\test22\AppData\Local\Temp\42412566645505.txt"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 16, 2024, 10:59 a.m.	show_type: 0 filepath_r: powershell.exe parameters: Set-ExecutionPolicy RemoteSigned -Scope Process -Force -Confirm:$false;$PSDefaultParameterValues = @{'Out-File:Encoding' = 'utf8'}; " C:\Users\test22\AppData\Local\Temp\15002164.ps1" \| Out-File -encoding UTF8 "C:\Users\test22\AppData\Local\Temp\42412566645505.txt" filepath: powershell.exe	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 16, 2024, 10:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Oct. 16, 2024, 11:07 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (11 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 128ebbf81d5c72b7f4200ecfd2a7fe21a2557f2f

Communicates with host for which no DNS query was performed (1 event)

host

178.156.131.83

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 16, 2024, 10:58 a.m.	process_identifier: 1280 region_size: 155648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000070	1	0	0
NtAllocateVirtualMemory Oct. 16, 2024, 10:58 a.m.	process_identifier: 1236 region_size: 155648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002c00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000000000000030	1	0	0

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\launcher.lnk

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1280 created a remote thread in non-child process 1236
CreateRemoteThread Oct. 16, 2024, 10:58 a.m.	thread_identifier: 0 process_identifier: 1236 function_address: 0x0000000002c011d0 flags: 0 stack_size: 0 parameter: 0x0000000002be0000 process_handle: 0x0000000000000030	1	52	0

Manipulates memory of a non-child process indicative of process injection (3 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1280 manipulating memory of non-child process 1236
NtAllocateVirtualMemory Oct. 16, 2024, 10:58 a.m.	process_identifier: 1236 region_size: 155648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002c00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000000000000030	1	0	0
NtAllocateVirtualMemory Oct. 16, 2024, 10:58 a.m.	process_identifier: 1236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x0000000002be0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000030	1	0	0

Potential code injection by writing to the memory of another process (14 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1280 injected into non-child 1236
WriteProcessMemory Oct. 16, 2024, 10:58 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $´®hQÕÀ;QÕÀ;QÕÀ;Ã:TÕÀ;Å:ÛÕÀ;Ä:[ÕÀ;DªÄ:@ÕÀ;DªÃ:XÕÀ;DªÅ:}ÕÀ;Á:RÕÀ;QÕÁ;3ÕÀ;hUÉ:PÕÀ;hU?;PÕÀ;hUÂ:PÕÀ;RichQÕÀ;PEdvÄfð"%&âp(@``Ù(@àÌP`¼8 »@@.text3%& `.rdata@¢@¤*@@.data$ðÎ@À.pdataÌÚ@@_RDATA\0î@@.rsrcà@ð@@.relocPò@B base_address: 0x0000000140000000 process_identifier: 1280 process_handle: 0x0000000000000070	1	1	0
WriteProcessMemory Oct. 16, 2024, 10:58 a.m.	buffer: @ base_address: 0x000007fffffdf010 process_identifier: 1280 process_handle: 0x0000000000000070	1	1	0
WriteProcessMemory Oct. 16, 2024, 10:58 a.m.	buffer: @ base_address: 0x000007fffffdf010 process_identifier: 1280 process_handle: 0x0000000000000070	1	1	0
WriteProcessMemory Oct. 16, 2024, 10:58 a.m.	buffer: ÿÿÿÿÍ] ÒfÔÿÿ2¢ß-+ÿÿÿÿÿÿÿÿÀf@Øñ@Øñ@Øñ@Øñ@Øñ@@ø@@i@Àj@W@pð@ðñ@C abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ Øø@ì@ì@ì@ì@ì@ì@ì@ì@ì@Üø@ð@ð@ð@ð@ð@ð@ð@..þÿÿÿþÿÿÿÿÿÿÿuøC@.?AVlogic_error@std@@øC@.?AVlength_error@std@@øC@.?AVbad_exception@std@@øC@.?AVbad_alloc@std@@øC@.?AVexception@std@@øC@.?AVbad_array_new_length@std@@øC@.?AVtype_info@@ base_address: 0x000000014001f000 process_identifier: 1280 process_handle: 0x0000000000000070	1	1	0
WriteProcessMemory Oct. 16, 2024, 10:58 a.m.	buffer: @ base_address: 0x000007fffffdf010 process_identifier: 1280 process_handle: 0x0000000000000070	1	1	0
WriteProcessMemory Oct. 16, 2024, 10:58 a.m.	buffer: @ base_address: 0x000007fffffdf010 process_identifier: 1280 process_handle: 0x0000000000000070	1	1	0
WriteProcessMemory Oct. 16, 2024, 10:58 a.m.	buffer: EþDEùD4E$EEõDZEGEPE9E0E EEñDFF}FvFoFeF[FQFGFKGDG=G6G/G%GGGG3H,H%HHHH HHûGþä8oêÏÀ@Ý¥ ³XÆ¿±£mYEöïáÓÅ±uRK=/!÷é base_address: 0x0000000140023000 process_identifier: 1280 process_handle: 0x0000000000000070	1	1	0
WriteProcessMemory Oct. 16, 2024, 10:58 a.m.	buffer: @ base_address: 0x000007fffffdf010 process_identifier: 1280 process_handle: 0x0000000000000070	1	1	0
WriteProcessMemory Oct. 16, 2024, 10:58 a.m.	buffer: 0 H`@}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0000000140024000 process_identifier: 1280 process_handle: 0x0000000000000070	1	1	0
WriteProcessMemory Oct. 16, 2024, 10:58 a.m.	buffer: @ base_address: 0x000007fffffdf010 process_identifier: 1280 process_handle: 0x0000000000000070	1	1	0
WriteProcessMemory Oct. 16, 2024, 10:58 a.m.	buffer: @<¢ ¢¨¢°¢¸¢È¢Ø¢à¢ø¢££££ £8£@£H£p£x£££££°£¸£À£È£Ð£Ø£ð£ø£¤¤¤¤ ¤¥¥¥ ¥À¥Ð¥à¥ð¥¦¦ ¦0¦@¦P¦`¦p¦¦¦ ¦°¦À¦Ð¦à¦ð¦§§ §0§@§P§`§p§§§ §°§À§Ð§à§ð§¨¨ ¨0¨@¨P¨`¨p¨¨¨ ¨°¨À¨Ð¨à¨ð¨©© ©0©@©P©`©p©©© ©°©À©Ð©à©ð©ªª ª0ª@ªPª`ªpªªª ª°ªÀªÐªàªðª«« «0«@«P«`«p««« «°«À«Ð«à«ð«¬¬ ¬0¬@¬P¬`¬p¬¬¬ ¬°¬À¬P£ £¨£¦¦ ¦¨¦°¦¸¦À¦È¦Ð¦Ø¦è¦ð¦ø¦§§§§ §8§H§X§`§h§p§x§§§§§ §¨§°§¸§À§È§Ð§Ø§à§è§ð§ø§¨¨¨¨ ¨(¨0¨8¨@¨H¨P¨X¨`¨h¨p¨x¨¨¨¨¨ ¨¨¨°¨¸¨À¨È¨Ð¨à¨è¨ð¨ø¨©©©© ©(©0©8©@©H©P©X©`©h©p©x©©©©© ©¨©°©¸©À©È©Ð©Ø©à©è©ð©ø©ªªªª ª(ª0ª8ªh¯p¯x¯¯Ð¯Ø¯à¯è¯ð¯ø¯`¬ ( 0 8 @ H P X ` h p Ø«è«ø«¬¬(¬8¬H¬X¬h¬x¬¬¬¨¬¸¬È¬Ø¬è¬ø¬(8HXhx¨¸ÈØèø®®(®8®H®X®h®x®®®¨®¸®È®Ø®è®ø®¯¯(¯8¯H¯X¯h¯x¯¯¯¨¯¸¯È¯Ø¯è¯ø¯pL ( 8 H X h x ¨ ¸ È Ø è ø ¡¡(¡8¡H¡X¡h¡x¡¡¡¨¡¸¡È¡Ø¡è¡ø¡¢¢(¢8¢H¢X¢h¢x¢¢¢¨¢¸¢È¢Ø¢è¢ø¢££(£8£H£X£h£x£££¨£¸£È£Ø£è£ø£¤¤(¤8¤H¤X¤h¤x¤¤¤¨¤¸¤È¤Ø¤è¤ø¤¥¥(¥8¥H¥X¥h¥x¥¥¥¨¥¸¥È¥Ø¥è¥ø¥¦¦(¦8¦H¦X¦h¦x¦¦¦¨¦¸¦È¦Ø¦è¦ø¦§§(§8§H§X§h§x§§§¨§¸§È§Ø§è§ø§¨¨(¨8¨H¨X¨h¨x¨¨¨¨¨¸¨È¨Ø¨è¨ø¨©©(©8©H©X©h©x©©©¨©¸©È©Ø©è©ø©ªD0¦@¦P¦`¦p¦¦¦ ¦°¦À¦Ð¦à¦ð¦§§ §0§@§P§`§p§§§ §°§À§Ð§à§ð§¨¨ ¨0¨@¨P¨`¨p¨¨¨ ¨°¨À¨Ð¨à¨ð¨©© ©0©@©P©`©p©©© ©°©À©Ð©à©ð©ªª ª0ª@ªPª`ªpªªª ª°ªÀªÐªàªðª«« «0«@«P«`«p««« «°«À«Ð«à«ð«¬¬ ¬0¬@¬P¬`¬p¬¬¬ ¬°¬À¬Ð¬à¬ð¬ 0@P`p °ÀÐàð®® ®0®@®P®`®p®®® ®°®À®Ð®à®ð®¯¯ ¯0¯@¯P¯`¯p¯¯¯ ¯°¯À¯Ð¯à¯ð¯ 0 @ P ` p ° À Ð à ð ¡¡ ¡0¡@¡P¡`¡p¡¡¡ ¡°¡À¡Ð¡à¡ð¡¢¢ ¢0¢@¢P¢`¢p¢¢¢ ¢°¢À¢Ð¢à¢ð¢££ £0£@£P£`£p£££ £°£À£Ð£à£ð£¤¤ ¤0¤@¤P¤`¤°x««« ¬8¬@¬H¬P¬X¬ðTp ¸ Ø ø ¡8¡h¡¡¡¡È¡Ð¡@¨H¨P¨X¨`¨h¨p¨x¨¨¨¨ ¨¨¨°¨¸¨À¨È¨Ð¨0ªXªª¨ªÐªøª(« base_address: 0x0000000140025000 process_identifier: 1280 process_handle: 0x0000000000000070	1	1	0
WriteProcessMemory Oct. 16, 2024, 10:58 a.m.	buffer: @ base_address: 0x000007fffffdf010 process_identifier: 1280 process_handle: 0x0000000000000070	1	1	0
WriteProcessMemory Oct. 16, 2024, 10:58 a.m.	buffer: powershell.exe Set-ExecutionPolicy RemoteSigned -Scope Process -Force -Confirm:$false;$PSDefaultParameterValues = @{'Out-File:Encoding' = 'utf8'}; " C:\Users\test22\AppData\Local\Temp\255132002555.ps1" \| Out-File -encoding UTF8 "C:\Users\test22\AppData\Local\Temp\435534154234324.txt" base_address: 0x0000000002be0000 process_identifier: 1236 process_handle: 0x0000000000000030	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 16, 2024, 10:58 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $´®hQÕÀ;QÕÀ;QÕÀ;Ã:TÕÀ;Å:ÛÕÀ;Ä:[ÕÀ;DªÄ:@ÕÀ;DªÃ:XÕÀ;DªÅ:}ÕÀ;Á:RÕÀ;QÕÁ;3ÕÀ;hUÉ:PÕÀ;hU?;PÕÀ;hUÂ:PÕÀ;RichQÕÀ;PEdvÄfð"%&âp(@``Ù(@àÌP`¼8 »@@.text3%& `.rdata@¢@¤*@@.data$ðÎ@À.pdataÌÚ@@_RDATA\0î@@.rsrcà@ð@@.relocPò@B base_address: 0x0000000140000000 process_identifier: 1280 process_handle: 0x0000000000000070	1	1	0

File has been identified by 11 AntiVirus engines on VirusTotal as malicious (11 events)

Bkav	W64.AIDetectMalware
Cylance	Unsafe
Sangfor	Ransom.Win32.Tflower_0.se2
CrowdStrike	win/malicious_confidence_70% (D)
Elastic	malicious (high confidence)
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
McAfeeD	ti!22FB4C9C67CC
Kingsoft	Win32.Troj.Unknown.a
DeepInstinct	MALICIOUS
Paloalto	generic.ml

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 840 called NtSetContextThread to modify thread in remote process 1280
NtSetContextThread Oct. 16, 2024, 10:58 a.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 5368719472 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 3211048 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 2003748096 registers.rdx: 8796092887040 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x000000000000006c process_identifier: 1280	1	0	0

Expresses interest in specific running processes (1 event)

process: potential process injection target

explorer.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 840 resumed a thread in remote process 1280
NtResumeThread Oct. 16, 2024, 10:58 a.m.	thread_handle: 0x000000000000006c suspend_count: 1 process_identifier: 1280	1	0	0

The process powershell.exe wrote an executable file to disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\service.exe

Executed a process and injected code into it, probably while unpacking (34 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Oct. 16, 2024, 10:58 a.m.	thread_identifier: 2052 thread_handle: 0x000000000000006c process_identifier: 1280 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\service.exe track: 1 command_line: 1 C:\Users\test22\AppData\Local\Temp\255132002555.ps1 C:\Users\test22\AppData\Local\Temp\435534154234324.txt filepath_r: C:\Users\test22\AppData\Local\Temp\service.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000070	1	1
NtGetContextThread Oct. 16, 2024, 10:58 a.m.	thread_handle: 0x000000000000006c	1	0
NtAllocateVirtualMemory Oct. 16, 2024, 10:58 a.m.	process_identifier: 1280 region_size: 155648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000070	1	0
WriteProcessMemory Oct. 16, 2024, 10:58 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $´®hQÕÀ;QÕÀ;QÕÀ;Ã:TÕÀ;Å:ÛÕÀ;Ä:[ÕÀ;DªÄ:@ÕÀ;DªÃ:XÕÀ;DªÅ:}ÕÀ;Á:RÕÀ;QÕÁ;3ÕÀ;hUÉ:PÕÀ;hU?;PÕÀ;hUÂ:PÕÀ;RichQÕÀ;PEdvÄfð"%&âp(@``Ù(@àÌP`¼8 »@@.text3%& `.rdata@¢@¤*@@.data$ðÎ@À.pdataÌÚ@@_RDATA\0î@@.rsrcà@ð@@.relocPò@B base_address: 0x0000000140000000 process_identifier: 1280 process_handle: 0x0000000000000070	1	1
WriteProcessMemory Oct. 16, 2024, 10:58 a.m.	buffer: base_address: 0x0000000140001000 process_identifier: 1280 process_handle: 0x0000000000000070	1	1
WriteProcessMemory Oct. 16, 2024, 10:58 a.m.	buffer: @ base_address: 0x000007fffffdf010 process_identifier: 1280 process_handle: 0x0000000000000070	1	1
WriteProcessMemory Oct. 16, 2024, 10:58 a.m.	buffer: base_address: 0x0000000140014000 process_identifier: 1280 process_handle: 0x0000000000000070	1	1
WriteProcessMemory Oct. 16, 2024, 10:58 a.m.	buffer: @ base_address: 0x000007fffffdf010 process_identifier: 1280 process_handle: 0x0000000000000070	1	1
WriteProcessMemory Oct. 16, 2024, 10:58 a.m.	buffer: ÿÿÿÿÍ] ÒfÔÿÿ2¢ß-+ÿÿÿÿÿÿÿÿÀf@Øñ@Øñ@Øñ@Øñ@Øñ@@ø@@i@Àj@W@pð@ðñ@C abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ Øø@ì@ì@ì@ì@ì@ì@ì@ì@ì@Üø@ð@ð@ð@ð@ð@ð@ð@..þÿÿÿþÿÿÿÿÿÿÿuøC@.?AVlogic_error@std@@øC@.?AVlength_error@std@@øC@.?AVbad_exception@std@@øC@.?AVbad_alloc@std@@øC@.?AVexception@std@@øC@.?AVbad_array_new_length@std@@øC@.?AVtype_info@@ base_address: 0x000000014001f000 process_identifier: 1280 process_handle: 0x0000000000000070	1	1
WriteProcessMemory Oct. 16, 2024, 10:58 a.m.	buffer: @ base_address: 0x000007fffffdf010 process_identifier: 1280 process_handle: 0x0000000000000070	1	1
WriteProcessMemory Oct. 16, 2024, 10:58 a.m.	buffer: base_address: 0x0000000140021000 process_identifier: 1280 process_handle: 0x0000000000000070	1	1
WriteProcessMemory Oct. 16, 2024, 10:58 a.m.	buffer: @ base_address: 0x000007fffffdf010 process_identifier: 1280 process_handle: 0x0000000000000070	1	1
WriteProcessMemory Oct. 16, 2024, 10:58 a.m.	buffer: EþDEùD4E$EEõDZEGEPE9E0E EEñDFF}FvFoFeF[FQFGFKGDG=G6G/G%GGGG3H,H%HHHH HHûGþä8oêÏÀ@Ý¥ ³XÆ¿±£mYEöïáÓÅ±uRK=/!÷é base_address: 0x0000000140023000 process_identifier: 1280 process_handle: 0x0000000000000070	1	1
WriteProcessMemory Oct. 16, 2024, 10:58 a.m.	buffer: @ base_address: 0x000007fffffdf010 process_identifier: 1280 process_handle: 0x0000000000000070	1	1
WriteProcessMemory Oct. 16, 2024, 10:58 a.m.	buffer: 0 H`@}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0000000140024000 process_identifier: 1280 process_handle: 0x0000000000000070	1	1
WriteProcessMemory Oct. 16, 2024, 10:58 a.m.	buffer: @ base_address: 0x000007fffffdf010 process_identifier: 1280 process_handle: 0x0000000000000070	1	1
WriteProcessMemory Oct. 16, 2024, 10:58 a.m.	buffer: @<¢ ¢¨¢°¢¸¢È¢Ø¢à¢ø¢££££ £8£@£H£p£x£££££°£¸£À£È£Ð£Ø£ð£ø£¤¤¤¤ ¤¥¥¥ ¥À¥Ð¥à¥ð¥¦¦ ¦0¦@¦P¦`¦p¦¦¦ ¦°¦À¦Ð¦à¦ð¦§§ §0§@§P§`§p§§§ §°§À§Ð§à§ð§¨¨ ¨0¨@¨P¨`¨p¨¨¨ ¨°¨À¨Ð¨à¨ð¨©© ©0©@©P©`©p©©© ©°©À©Ð©à©ð©ªª ª0ª@ªPª`ªpªªª ª°ªÀªÐªàªðª«« «0«@«P«`«p««« «°«À«Ð«à«ð«¬¬ ¬0¬@¬P¬`¬p¬¬¬ ¬°¬À¬P£ £¨£¦¦ ¦¨¦°¦¸¦À¦È¦Ð¦Ø¦è¦ð¦ø¦§§§§ §8§H§X§`§h§p§x§§§§§ §¨§°§¸§À§È§Ð§Ø§à§è§ð§ø§¨¨¨¨ ¨(¨0¨8¨@¨H¨P¨X¨`¨h¨p¨x¨¨¨¨¨ ¨¨¨°¨¸¨À¨È¨Ð¨à¨è¨ð¨ø¨©©©© ©(©0©8©@©H©P©X©`©h©p©x©©©©© ©¨©°©¸©À©È©Ð©Ø©à©è©ð©ø©ªªªª ª(ª0ª8ªh¯p¯x¯¯Ð¯Ø¯à¯è¯ð¯ø¯`¬ ( 0 8 @ H P X ` h p Ø«è«ø«¬¬(¬8¬H¬X¬h¬x¬¬¬¨¬¸¬È¬Ø¬è¬ø¬(8HXhx¨¸ÈØèø®®(®8®H®X®h®x®®®¨®¸®È®Ø®è®ø®¯¯(¯8¯H¯X¯h¯x¯¯¯¨¯¸¯È¯Ø¯è¯ø¯pL ( 8 H X h x ¨ ¸ È Ø è ø ¡¡(¡8¡H¡X¡h¡x¡¡¡¨¡¸¡È¡Ø¡è¡ø¡¢¢(¢8¢H¢X¢h¢x¢¢¢¨¢¸¢È¢Ø¢è¢ø¢££(£8£H£X£h£x£££¨£¸£È£Ø£è£ø£¤¤(¤8¤H¤X¤h¤x¤¤¤¨¤¸¤È¤Ø¤è¤ø¤¥¥(¥8¥H¥X¥h¥x¥¥¥¨¥¸¥È¥Ø¥è¥ø¥¦¦(¦8¦H¦X¦h¦x¦¦¦¨¦¸¦È¦Ø¦è¦ø¦§§(§8§H§X§h§x§§§¨§¸§È§Ø§è§ø§¨¨(¨8¨H¨X¨h¨x¨¨¨¨¨¸¨È¨Ø¨è¨ø¨©©(©8©H©X©h©x©©©¨©¸©È©Ø©è©ø©ªD0¦@¦P¦`¦p¦¦¦ ¦°¦À¦Ð¦à¦ð¦§§ §0§@§P§`§p§§§ §°§À§Ð§à§ð§¨¨ ¨0¨@¨P¨`¨p¨¨¨ ¨°¨À¨Ð¨à¨ð¨©© ©0©@©P©`©p©©© ©°©À©Ð©à©ð©ªª ª0ª@ªPª`ªpªªª ª°ªÀªÐªàªðª«« «0«@«P«`«p««« «°«À«Ð«à«ð«¬¬ ¬0¬@¬P¬`¬p¬¬¬ ¬°¬À¬Ð¬à¬ð¬ 0@P`p °ÀÐàð®® ®0®@®P®`®p®®® ®°®À®Ð®à®ð®¯¯ ¯0¯@¯P¯`¯p¯¯¯ ¯°¯À¯Ð¯à¯ð¯ 0 @ P ` p ° À Ð à ð ¡¡ ¡0¡@¡P¡`¡p¡¡¡ ¡°¡À¡Ð¡à¡ð¡¢¢ ¢0¢@¢P¢`¢p¢¢¢ ¢°¢À¢Ð¢à¢ð¢££ £0£@£P£`£p£££ £°£À£Ð£à£ð£¤¤ ¤0¤@¤P¤`¤°x««« ¬8¬@¬H¬P¬X¬ðTp ¸ Ø ø ¡8¡h¡¡¡¡È¡Ð¡@¨H¨P¨X¨`¨h¨p¨x¨¨¨¨ ¨¨¨°¨¸¨À¨È¨Ð¨0ªXªª¨ªÐªøª(« base_address: 0x0000000140025000 process_identifier: 1280 process_handle: 0x0000000000000070	1	1
WriteProcessMemory Oct. 16, 2024, 10:58 a.m.	buffer: @ base_address: 0x000007fffffdf010 process_identifier: 1280 process_handle: 0x0000000000000070	1	1
NtSetContextThread Oct. 16, 2024, 10:58 a.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 5368719472 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 3211048 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 2003748096 registers.rdx: 8796092887040 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x000000000000006c process_identifier: 1280	1	0
NtResumeThread Oct. 16, 2024, 10:58 a.m.	thread_handle: 0x000000000000006c suspend_count: 1 process_identifier: 1280	1	0
CreateProcessInternalW Oct. 16, 2024, 10:59 a.m.	thread_identifier: 2784 thread_handle: 0x0000000000000254 process_identifier: 2780 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ExecutionPolicy RemoteSigned -Scope Process -Force -Confirm:$false;$PSDefaultParameterValues = @{'Out-File:Encoding' = 'utf8'}; " C:\Users\test22\AppData\Local\Temp\15002164.ps1" \| Out-File -encoding UTF8 "C:\Users\test22\AppData\Local\Temp\42412566645505.txt" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000260	1	1
NtAllocateVirtualMemory Oct. 16, 2024, 10:58 a.m.	process_identifier: 1236 region_size: 155648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002c00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000000000000030	1	0
WriteProcessMemory Oct. 16, 2024, 10:58 a.m.	buffer: base_address: 0x0000000002c00000 process_identifier: 1236 process_handle: 0x0000000000000030	1	1
NtAllocateVirtualMemory Oct. 16, 2024, 10:58 a.m.	process_identifier: 1236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x0000000002be0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000030	1	0
WriteProcessMemory Oct. 16, 2024, 10:58 a.m.	buffer: powershell.exe Set-ExecutionPolicy RemoteSigned -Scope Process -Force -Confirm:$false;$PSDefaultParameterValues = @{'Out-File:Encoding' = 'utf8'}; " C:\Users\test22\AppData\Local\Temp\255132002555.ps1" \| Out-File -encoding UTF8 "C:\Users\test22\AppData\Local\Temp\435534154234324.txt" base_address: 0x0000000002be0000 process_identifier: 1236 process_handle: 0x0000000000000030	1	1
CreateProcessInternalW Oct. 16, 2024, 10:58 a.m.	thread_identifier: 2216 thread_handle: 0x0000000000000580 process_identifier: 2212 current_directory: filepath: track: 1 command_line: powershell.exe Set-ExecutionPolicy RemoteSigned -Scope Process -Force -Confirm:$false;$PSDefaultParameterValues = @{'Out-File:Encoding' = 'utf8'}; " C:\Users\test22\AppData\Local\Temp\255132002555.ps1" \| Out-File -encoding UTF8 "C:\Users\test22\AppData\Local\Temp\435534154234324.txt" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000000000000744	1	1
NtResumeThread Oct. 16, 2024, 10:59 a.m.	thread_handle: 0x0000000000000288 suspend_count: 1 process_identifier: 2212	1	0
NtResumeThread Oct. 16, 2024, 10:59 a.m.	thread_handle: 0x00000000000002dc suspend_count: 1 process_identifier: 2212	1	0
NtResumeThread Oct. 16, 2024, 10:59 a.m.	thread_handle: 0x000000000000036c suspend_count: 1 process_identifier: 2212	1	0
NtResumeThread Oct. 16, 2024, 10:59 a.m.	thread_handle: 0x0000000000000498 suspend_count: 1 process_identifier: 2212	1	0
NtResumeThread Oct. 16, 2024, 11:07 a.m.	thread_handle: 0x00000000000002a0 suspend_count: 1 process_identifier: 2780	1	0
NtResumeThread Oct. 16, 2024, 11:07 a.m.	thread_handle: 0x00000000000002f4 suspend_count: 1 process_identifier: 2780	1	0
NtResumeThread Oct. 16, 2024, 11:07 a.m.	thread_handle: 0x0000000000000380 suspend_count: 1 process_identifier: 2780	1	0
NtResumeThread Oct. 16, 2024, 11:07 a.m.	thread_handle: 0x000000000000055c suspend_count: 1 process_identifier: 2780	1	0

service.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All