Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 19, 2024, 2:42 p.m.	Nov. 19, 2024, 2:48 p.m.

Size	35.9MB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`bb1c7286c327eafc7cf6a21492cdfa0f`
SHA256	`8ac63cd639f78b172efc3c4cfecbe7dae3cd7f3dc245d31476187b0517c1babd`
CRC32	`30AC4251`
ssdeep	`786432:npmGxqs8IFPB/4vQiZYgVcNioTjAHaUUfC+TDNED:n8bGJQvCgVxcj4zaC+TZe`
Yara	Malicious_Library_Zero - Malicious_Library ftp_command - ftp command Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format OS_Processor_Check_Zero - OS Processor Check

Potwierdzenie.exe "C:\Users\test22\AppData\Local\Temp\Potwierdzenie.exe"
1880

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 19, 2024, 1:26 p.m.	computer_name: Ä匐㔜뉠⩨		0	0
GetComputerNameW Nov. 19, 2024, 1:26 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 19, 2024, 1:26 p.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA Nov. 19, 2024, 1:26 p.m.	buffer: This application was built with ExeOutput for PHP TRIAL available at http://www.exeoutput.com console_handle: 0x00000007	1	1	0
WriteConsoleA Nov. 19, 2024, 1:26 p.m.	buffer: REDISTRIBUTION IS PROHIBITED: PURCHASE A LICENSE. console_handle: 0x00000007	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 19, 2024, 1:26 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.itext
section	.didata

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 17072 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00900000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040c000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00900000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00910000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00910000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040c000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00910000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040c000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00920000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00920000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040c000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00920000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040c000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00930000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040c000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00930000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040c000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03190000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00940000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 5 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77990000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 5 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77980000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 5 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77970000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 5 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77960000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 5 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77950000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 5 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77940000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 5 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77930000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 5 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77920000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 5 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77910000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 5 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77900000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 5 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 5 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 5 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 5 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 5 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 5 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77890000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77890000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 10 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77990000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 10 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77980000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 10 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77970000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 10 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77960000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 10 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77950000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 10 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77940000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 10 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77930000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 10 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77920000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 10 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77910000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 10 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77900000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 1880 region_size: 10 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW Nov. 19, 2024, 1:26 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\Temp\Data\exo-echange.dat filepath: C:\Users\test22\AppData\Local\Temp\Data\exo-echange.dat	1	1	0

File has been identified by 8 AntiVirus engines on VirusTotal as malicious (8 events)

Bkav	W32.AIDetectMalware
Cylance	Unsafe
CrowdStrike	win/grayware_confidence_70% (D)
APEX	Malicious
DrWeb	Trojan.PWS.Stealer.39683
Zillya	Trojan.Stealer.Win32.176221
Jiangmin	TrojanSpy.Stealer.akai
DeepInstinct	MALICIOUS

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x000d2200', u'virtual_address': u'0x0042a000', u'entropy': 7.448059449339906, u'name': u'.rsrc', u'virtual_size': u'0x000d213c'}

entropy

7.44805944934

description

A section with a high entropy has been found

Potentially malicious URLs were found in the process memory dump (50 out of 59 events)

url	http://www.icon
url	http://ator
url	http://www.
url	http://www.text-decoration
url	http://.jpg
url	http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd
url	http://imEnglish
url	http://px
url	http://option
url	http://html4/loose.dtd
url	http://www-//W3C//DTD
url	http://familiar
url	http://www.C//DTD
url	http://www.css
url	http://www.hortcut
url	http://bugs.php.net
url	http://encoding
url	http://www.a
url	http://relaxng.org/ns/structure/1.0
url	http://www./div
url	http://www.years
url	http://www.language
url	http://www.zend.com/
url	http://cript
url	http://link
url	http://UA-Compatible
url	http://Descriptionrelatively
url	http://www.php.net/
url	http://In
url	http://php.net/xpath
url	http://interpreted
url	http://navigation
url	https://aIn
url	http://iparticipation
url	http://www
url	http://interested
url	http://staticsuggested
url	http://applicationslink
url	http://bugs.php.net/
url	http://.css
url	http://xt/css
url	http://dictionaryperceptionrevolutionfoundationpx
url	https://was
url	http://site
url	http://www.wencodeURIComponent
url	http://i
url	http://An
url	https://github.com/php/php-src/issues
url	http://w
url	http://whether

Yara rule detected in process memory (22 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Hijack network configuration	rule	Hijack_Network
description	Communications smtp	rule	network_smtp_raw
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Install itself for autorun at Windows startup	rule	Persistence
description	Run a KeyLogger	rule	KeyLogger

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 30f7f60f83d5f95766a737abcc332d57445b6789

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 2220 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0x0000027c	1	0	0
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 2220 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 1052672 (MEM_COMMIT\|MEM_TOP_DOWN) process_handle: 0x0000027c	1	0	0

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1880 created a remote thread in non-child process 2220
CreateRemoteThread Nov. 19, 2024, 1:26 p.m.	thread_identifier: 2280 process_identifier: 2220 function_address: 0x1002ac60 flags: 0 stack_size: 67108864 parameter: 0x7ef60000 process_handle: 0x0000027c	1	660	0

Manipulates memory of a non-child process indicative of process injection (18 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1880 manipulating memory of non-child process 2220
NtProtectVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 4 (PAGE_READWRITE) base_address: 0x00400000 process_handle: 0x0000027c	1	0	0
NtProtectVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 2 (PAGE_READONLY) base_address: 0x00400000 process_handle: 0x0000027c	1	0	0
NtProtectVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 4 (PAGE_READWRITE) base_address: 0x00400000 process_handle: 0x0000027c	1	0	0
NtProtectVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 2 (PAGE_READONLY) base_address: 0x00400000 process_handle: 0x0000027c	1	0	0
NtProtectVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 4 (PAGE_READWRITE) base_address: 0x00400000 process_handle: 0x0000027c	1	0	0
NtProtectVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 2 (PAGE_READONLY) base_address: 0x00400000 process_handle: 0x0000027c	1	0	0
NtProtectVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 4 (PAGE_READWRITE) base_address: 0x00400000 process_handle: 0x0000027c	1	0	0
NtProtectVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 2 (PAGE_READONLY) base_address: 0x00400000 process_handle: 0x0000027c	1	0	0
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 2220 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0x0000027c	1	0	0
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 2220 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 1052672 (MEM_COMMIT\|MEM_TOP_DOWN) process_handle: 0x0000027c	1	0	0
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x7efa0000 allocation_type: 1052672 (MEM_COMMIT\|MEM_TOP_DOWN) process_handle: 0x0000027c	1	0	0
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x7ef90000 allocation_type: 1052672 (MEM_COMMIT\|MEM_TOP_DOWN) process_handle: 0x0000027c	1	0	0
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x7ef80000 allocation_type: 1052672 (MEM_COMMIT\|MEM_TOP_DOWN) process_handle: 0x0000027c	1	0	0
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x7ef70000 allocation_type: 1052672 (MEM_COMMIT\|MEM_TOP_DOWN) process_handle: 0x0000027c	1	0	0
NtProtectVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 4 (PAGE_READWRITE) base_address: 0x00400000 process_handle: 0x0000027c	1	0	0
NtProtectVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 2 (PAGE_READONLY) base_address: 0x00400000 process_handle: 0x0000027c	1	0	0
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x7ef60000 allocation_type: 1052672 (MEM_COMMIT\|MEM_TOP_DOWN) process_handle: 0x0000027c	1	0	0

Potential code injection by writing to the memory of another process (11 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1880 injected into non-child 2220
WriteProcessMemory Nov. 19, 2024, 1:26 p.m.	buffer: PEL}S£fàÄ<vÔÞ<à<@ÐOd¾L@ @s B¸À@hs@ð@Ú base_address: 0x00400100 process_identifier: 2220 process_handle: 0x0000027c	1	1	0
WriteProcessMemory Nov. 19, 2024, 1:26 p.m.	buffer: PEL}S£fàÄ<vÔÞ<à<@ÐOd¾L@ @s B¸À@hs@ð@Ú base_address: 0x00400100 process_identifier: 2220 process_handle: 0x0000027c	1	1	0
WriteProcessMemory Nov. 19, 2024, 1:26 p.m.	buffer: PEL}S£fàÄ<vÔÞ<à<@ÐOd¾L@ @s B¸À@@Ú base_address: 0x00400100 process_identifier: 2220 process_handle: 0x0000027c	1	1	0
WriteProcessMemory Nov. 19, 2024, 1:26 p.m.	buffer: PEL}S£fàÄ<vÔÞ<à<@ÐOd¾L@Á@ @s B¸À@@Ú base_address: 0x00400100 process_identifier: 2220 process_handle: 0x0000027c	1	1	0
WriteProcessMemory Nov. 19, 2024, 1:26 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\Data\php.exe base_address: 0x7efa0000 process_identifier: 2220 process_handle: 0x0000027c	1	1	0
WriteProcessMemory Nov. 19, 2024, 1:26 p.m.	buffer: "C:\Users\test22\AppData\Local\Temp\Data\php.exe" -c "C:\Users\test22\AppData\Local\Temp\Data\php-cli.ini" "C:\Users\test22\AppData\Local\Temp\Data\v3lib.php" base_address: 0x7ef90000 process_identifier: 2220 process_handle: 0x0000027c	1	1	0
WriteProcessMemory Nov. 19, 2024, 1:26 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\Data\ base_address: 0x7ef80000 process_identifier: 2220 process_handle: 0x0000027c	1	1	0
WriteProcessMemory Nov. 19, 2024, 1:26 p.m.	buffer: base_address: 0x7ef70000 process_identifier: 2220 process_handle: 0x0000027c	1	1	0
WriteProcessMemory Nov. 19, 2024, 1:26 p.m.	buffer: PEL}S£fàÄ<vÔÞ<à<@ÐOd¾L@Á@ @s B¸À@@Ú base_address: 0x00400100 process_identifier: 2220 process_handle: 0x0000027c	1	1	0
WriteProcessMemory Nov. 19, 2024, 1:26 p.m.	buffer: Xú~ù~ø~÷~@Xÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ base_address: 0x7ef60000 process_identifier: 2220 process_handle: 0x0000027c	1	1	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1880 resumed a thread in remote process 2220
NtResumeThread Nov. 19, 2024, 1:26 p.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 2220	1	0	0

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress Nov. 19, 2024, 1:26 p.m.	ordinal: 0 function_address: 0x0041209c function_name: wine_get_version module: ntdll module_address: 0x778a0000		3221225785	0

Executed a process and injected code into it, probably while unpacking (32 events)

Time & API	Arguments	Status	Return
NtResumeThread Nov. 19, 2024, 1:26 p.m.	thread_handle: 0x00000110 suspend_count: 1 process_identifier: 1880	1	0
NtResumeThread Nov. 19, 2024, 1:26 p.m.	thread_handle: 0x00000220 suspend_count: 1 process_identifier: 1880	1	0
NtResumeThread Nov. 19, 2024, 1:26 p.m.	thread_handle: 0x00000224 suspend_count: 1 process_identifier: 1880	1	0
NtResumeThread Nov. 19, 2024, 1:26 p.m.	thread_handle: 0x0000022c suspend_count: 1 process_identifier: 1880	1	0
NtResumeThread Nov. 19, 2024, 1:26 p.m.	thread_handle: 0x00000234 suspend_count: 1 process_identifier: 1880	1	0
NtResumeThread Nov. 19, 2024, 1:26 p.m.	thread_handle: 0x0000023c suspend_count: 1 process_identifier: 1880	1	0
NtResumeThread Nov. 19, 2024, 1:26 p.m.	thread_handle: 0x00000244 suspend_count: 1 process_identifier: 1880	1	0
NtResumeThread Nov. 19, 2024, 1:26 p.m.	thread_handle: 0x0000024c suspend_count: 1 process_identifier: 1880	1	0
NtResumeThread Nov. 19, 2024, 1:26 p.m.	thread_handle: 0x00000254 suspend_count: 1 process_identifier: 1880	1	0
NtResumeThread Nov. 19, 2024, 1:26 p.m.	thread_handle: 0x0000025c suspend_count: 1 process_identifier: 1880	1	0
NtResumeThread Nov. 19, 2024, 1:26 p.m.	thread_handle: 0x00000264 suspend_count: 1 process_identifier: 1880	1	0
NtResumeThread Nov. 19, 2024, 1:26 p.m.	thread_handle: 0x0000026c suspend_count: 1 process_identifier: 1880	1	0
CreateProcessInternalW Nov. 19, 2024, 1:26 p.m.	thread_identifier: 2224 thread_handle: 0x000001fc process_identifier: 2220 current_directory: C:\Users\test22\AppData\Local\Temp\Data\ filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\Potwierdzenie.exe" -c "C:\Users\test22\AppData\Local\Temp\Data\php-cli.ini" "C:\Users\test22\AppData\Local\Temp\Data\v3lib.php" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 4294967295 process_handle: 0x0000027c	1	1
WriteProcessMemory Nov. 19, 2024, 1:26 p.m.	buffer: PEL}S£fàÄ<vÔÞ<à<@ÐOd¾L@ @s B¸À@hs@ð@Ú base_address: 0x00400100 process_identifier: 2220 process_handle: 0x0000027c	1	1
WriteProcessMemory Nov. 19, 2024, 1:26 p.m.	buffer: PEL}S£fàÄ<vÔÞ<à<@ÐOd¾L@ @s B¸À@hs@ð@Ú base_address: 0x00400100 process_identifier: 2220 process_handle: 0x0000027c	1	1
WriteProcessMemory Nov. 19, 2024, 1:26 p.m.	buffer: PEL}S£fàÄ<vÔÞ<à<@ÐOd¾L@ @s B¸À@@Ú base_address: 0x00400100 process_identifier: 2220 process_handle: 0x0000027c	1	1
WriteProcessMemory Nov. 19, 2024, 1:26 p.m.	buffer: PEL}S£fàÄ<vÔÞ<à<@ÐOd¾L@Á@ @s B¸À@@Ú base_address: 0x00400100 process_identifier: 2220 process_handle: 0x0000027c	1	1
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 2220 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0x0000027c	1	0
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 2220 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 1052672 (MEM_COMMIT\|MEM_TOP_DOWN) process_handle: 0x0000027c	1	0
WriteProcessMemory Nov. 19, 2024, 1:26 p.m.	buffer: base_address: 0x10000000 process_identifier: 2220 process_handle: 0x0000027c	1	1
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x7efa0000 allocation_type: 1052672 (MEM_COMMIT\|MEM_TOP_DOWN) process_handle: 0x0000027c	1	0
WriteProcessMemory Nov. 19, 2024, 1:26 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\Data\php.exe base_address: 0x7efa0000 process_identifier: 2220 process_handle: 0x0000027c	1	1
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x7ef90000 allocation_type: 1052672 (MEM_COMMIT\|MEM_TOP_DOWN) process_handle: 0x0000027c	1	0
WriteProcessMemory Nov. 19, 2024, 1:26 p.m.	buffer: "C:\Users\test22\AppData\Local\Temp\Data\php.exe" -c "C:\Users\test22\AppData\Local\Temp\Data\php-cli.ini" "C:\Users\test22\AppData\Local\Temp\Data\v3lib.php" base_address: 0x7ef90000 process_identifier: 2220 process_handle: 0x0000027c	1	1
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x7ef80000 allocation_type: 1052672 (MEM_COMMIT\|MEM_TOP_DOWN) process_handle: 0x0000027c	1	0
WriteProcessMemory Nov. 19, 2024, 1:26 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\Data\ base_address: 0x7ef80000 process_identifier: 2220 process_handle: 0x0000027c	1	1
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x7ef70000 allocation_type: 1052672 (MEM_COMMIT\|MEM_TOP_DOWN) process_handle: 0x0000027c	1	0
WriteProcessMemory Nov. 19, 2024, 1:26 p.m.	buffer: base_address: 0x7ef70000 process_identifier: 2220 process_handle: 0x0000027c	1	1
WriteProcessMemory Nov. 19, 2024, 1:26 p.m.	buffer: PEL}S£fàÄ<vÔÞ<à<@ÐOd¾L@Á@ @s B¸À@@Ú base_address: 0x00400100 process_identifier: 2220 process_handle: 0x0000027c	1	1
NtAllocateVirtualMemory Nov. 19, 2024, 1:26 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x7ef60000 allocation_type: 1052672 (MEM_COMMIT\|MEM_TOP_DOWN) process_handle: 0x0000027c	1	0
WriteProcessMemory Nov. 19, 2024, 1:26 p.m.	buffer: Xú~ù~ø~÷~@Xÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ base_address: 0x7ef60000 process_identifier: 2220 process_handle: 0x0000027c	1	1
NtResumeThread Nov. 19, 2024, 1:26 p.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 2220	1	0

Potwierdzenie.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All