Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x3201	April 6, 2021, 4:41 p.m.	April 6, 2021, 4:43 p.m.

Size	368.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`4bf1d28524782e3de6d241c2bb625b5e`
SHA256	`badb1739d819774ec20371577cb5435f40fd9943258fb3fbff14f078884c58e4`
CRC32	`8D55CF37`
ssdeep	`6144:F23gC/67SY8Rp10LNRdU7iwa8L/xksmNuL/bc31As2apgSTnAlkcGK3cgru:F2d/6cRp10LOiwdpL/bc3as2cgj+cTG`
Yara	Win32_Trojan_PWS_Azorult_Net_1_Zero - Win32 Trojan PWS .NET Azorult PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check

A4ge7vE97nKzwZk.exe "C:\Users\Administrator\AppData\Local\Temp\A4ge7vE97nKzwZk.exe"
5692
- A4ge7vE97nKzwZk.exe "{path}"
  5460

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
159.69.119.114	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 6, 2021, 4:36 p.m.			0	0
IsDebuggerPresent April 6, 2021, 4:36 p.m.			0	0
IsDebuggerPresent April 6, 2021, 4:41 p.m.			0	0
IsDebuggerPresent April 6, 2021, 4:41 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey April 6, 2021, 4:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2258 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e22d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e22d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2398 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2398 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2558 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 6, 2021, 4:36 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 74 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a1f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a1f2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01450000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x014b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00725000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0072b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00727000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0070c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01480000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0071a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00717000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0070a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00716000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01481000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01485000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72322000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01488000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0148a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0148b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0148c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0148d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0148e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0148f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ee0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ee1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ee7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ee8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ee9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03eea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03eeb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03eec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03eed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03eee000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03eef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:41 p.m.	process_identifier: 5460 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:41 p.m.	process_identifier: 5460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 6, 2021, 4:41 p.m.	process_identifier: 5460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 6, 2021, 4:41 p.m.	process_identifier: 5460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a282000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:41 p.m.	process_identifier: 5460 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00850000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:41 p.m.	process_identifier: 5460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:41 p.m.	process_identifier: 5460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:41 p.m.	process_identifier: 5460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:41 p.m.	process_identifier: 5460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:41 p.m.	process_identifier: 5460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:41 p.m.	process_identifier: 5460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 6, 2021, 4:42 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0005b600', u'virtual_address': u'0x00002000', u'entropy': 7.49435695743754, u'name': u'.text', u'virtual_size': u'0x0005b5bc'}

entropy

7.49435695744

description

A section with a high entropy has been found

entropy

0.994557823129

description

Overall entropy of this PE file is high

Yara rule detected in process memory (11 events)

description	Listen for incoming communication	rule	network_tcp_listen
description	Affect private profile	rule	win_files_operation
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	SEH__vectored
description	Possibly employs anti-virtualization techniques	rule	vmdetect
description	Detection of Virtual Appliances through the use of WMI for use of evasion.	rule	WMI_VM_Detect
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

159.69.119.114

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5460 region_size: 155648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000025c	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation April 6, 2021, 4:41 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory April 6, 2021, 4:36 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL\| Â²à0ä®á @ `@\áO ð@@á H.textâ ä `.rsrcð è@@.reloc@ð@B base_address: 0x00400000 process_identifier: 5460 process_handle: 0x0000025c	1	1
WriteProcessMemory April 6, 2021, 4:36 p.m.	buffer: P8hð ``4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ÀStringFileInfo000004b0, CommentsCSGO Tool8CompanyNameVoteban IncHFileDescriptionVoteban Manager0FileVersion1.2.3.18InternalNameLanolin.exe> LegalCopyrightVAC Inc 2020@LegalTrademarksVoteban Inc@OriginalFilenameLanolin.exe>ProductNameVoteban Client4ProductVersion1.2.3.1< Assembly Version2.51.14.3$êï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00422000 process_identifier: 5460 process_handle: 0x0000025c	1	1
WriteProcessMemory April 6, 2021, 4:36 p.m.	buffer: à°1 base_address: 0x00424000 process_identifier: 5460 process_handle: 0x0000025c	1	1
WriteProcessMemory April 6, 2021, 4:36 p.m.	buffer: @ base_address: 0x7ffd7008 process_identifier: 5460 process_handle: 0x0000025c	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory April 6, 2021, 4:36 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL\| Â²à0ä®á @ `@\áO ð@@á H.textâ ä `.rsrcð è@@.reloc@ð@B base_address: 0x00400000 process_identifier: 5460 process_handle: 0x0000025c	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 5692 called NtSetContextThread to modify thread in remote process 5460
NtSetContextThread April 6, 2021, 4:36 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4317614 registers.ebp: 0 registers.edx: 0 registers.ebx: 2147315712 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000258 process_identifier: 5460	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 5692 resumed a thread in remote process 5460
NtResumeThread April 6, 2021, 4:36 p.m.	thread_handle: 0x00000258 suspend_count: 1 process_identifier: 5460	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

159.69.119.114:3214

Executed a process and injected code into it, probably while unpacking (19 events)

Time & API	Arguments	Status	Return
NtResumeThread April 6, 2021, 4:36 p.m.	thread_handle: 0x000000c0 suspend_count: 1 process_identifier: 5692	1	0
NtResumeThread April 6, 2021, 4:36 p.m.	thread_handle: 0x00000138 suspend_count: 1 process_identifier: 5692	1	0
NtResumeThread April 6, 2021, 4:36 p.m.	thread_handle: 0x00000184 suspend_count: 1 process_identifier: 5692	1	0
CreateProcessInternalW April 6, 2021, 4:36 p.m.	thread_identifier: 5048 thread_handle: 0x00000258 process_identifier: 5460 current_directory: filepath: C:\Users\Administrator\AppData\Local\Temp\A4ge7vE97nKzwZk.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator\AppData\Local\Temp\A4ge7vE97nKzwZk.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000025c	1	1
NtGetContextThread April 6, 2021, 4:36 p.m.	thread_handle: 0x00000258	1	0
NtAllocateVirtualMemory April 6, 2021, 4:36 p.m.	process_identifier: 5460 region_size: 155648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000025c	1	0
WriteProcessMemory April 6, 2021, 4:36 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL\| Â²à0ä®á @ `@\áO ð@@á H.textâ ä `.rsrcð è@@.reloc@ð@B base_address: 0x00400000 process_identifier: 5460 process_handle: 0x0000025c	1	1
WriteProcessMemory April 6, 2021, 4:36 p.m.	buffer: base_address: 0x00402000 process_identifier: 5460 process_handle: 0x0000025c	1	1
WriteProcessMemory April 6, 2021, 4:36 p.m.	buffer: P8hð ``4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ÀStringFileInfo000004b0, CommentsCSGO Tool8CompanyNameVoteban IncHFileDescriptionVoteban Manager0FileVersion1.2.3.18InternalNameLanolin.exe> LegalCopyrightVAC Inc 2020@LegalTrademarksVoteban Inc@OriginalFilenameLanolin.exe>ProductNameVoteban Client4ProductVersion1.2.3.1< Assembly Version2.51.14.3$êï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00422000 process_identifier: 5460 process_handle: 0x0000025c	1	1
WriteProcessMemory April 6, 2021, 4:36 p.m.	buffer: à°1 base_address: 0x00424000 process_identifier: 5460 process_handle: 0x0000025c	1	1
WriteProcessMemory April 6, 2021, 4:36 p.m.	buffer: @ base_address: 0x7ffd7008 process_identifier: 5460 process_handle: 0x0000025c	1	1
NtSetContextThread April 6, 2021, 4:36 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4317614 registers.ebp: 0 registers.edx: 0 registers.ebx: 2147315712 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000258 process_identifier: 5460	1	0
NtResumeThread April 6, 2021, 4:36 p.m.	thread_handle: 0x00000258 suspend_count: 1 process_identifier: 5460	1	0
NtResumeThread April 6, 2021, 4:41 p.m.	thread_handle: 0x000000c0 suspend_count: 1 process_identifier: 5460	1	0
NtResumeThread April 6, 2021, 4:41 p.m.	thread_handle: 0x00000134 suspend_count: 1 process_identifier: 5460	1	0
NtResumeThread April 6, 2021, 4:41 p.m.	thread_handle: 0x00000184 suspend_count: 1 process_identifier: 5460	1	0
NtResumeThread April 6, 2021, 4:41 p.m.	thread_handle: 0x00000204 suspend_count: 1 process_identifier: 5460	1	0
NtResumeThread April 6, 2021, 4:41 p.m.	thread_handle: 0x0000021c suspend_count: 1 process_identifier: 5460	1	0
NtResumeThread April 6, 2021, 4:42 p.m.	thread_handle: 0x000003a8 suspend_count: 1 process_identifier: 5460	1	0

A4ge7vE97nKzwZk.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All