Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 15, 2021, 9:37 a.m.	April 15, 2021, 9:39 a.m.

Size	902.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`aef6e395b99c7a52423cff98251b2a4b`
SHA256	`be9f69b76e474d8d7e8a751f390b707bd840a24f5713b259a816da06b912b812`
CRC32	`1127CFEC`
ssdeep	`12288:zZ7x2pstd/fuqqkthojxddqn6RcvUXUxBhPtj6lnqENlpFDFo:11dtd/jrax7qCGhPtj6MSFo`
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero Win32_Trojan_PWS_Azorult_Net_1_Zero - Win32 Trojan PWS .NET Azorult IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check

KL7MR6mZz2acpSc.exe "C:\Users\test22\AppData\Local\Temp\KL7MR6mZz2acpSc.exe"
7948
- schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XBZhuKLRmzrBA" /XML "C:\Users\test22\AppData\Local\Temp\tmpCCF8.tmp"
  2120

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW April 15, 2021, 9:37 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 15, 2021, 9:37 a.m.			0	0
IsDebuggerPresent April 15, 2021, 9:37 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW April 15, 2021, 9:37 a.m.	buffer: SUCCESS: The scheduled task "Updates\XBZhuKLRmzrBA" has successfully been created. console_handle: 0x00000007	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 15, 2021, 9:37 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (34 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ee0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00602000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00635000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0063b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00637000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0061c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0060a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0062a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00627000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0061a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00626000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00931000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00932000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00933000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00934000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00935000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00936000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00937000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00938000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00939000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0093a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0093b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0093c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0093d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0093e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x078d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 7948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x078d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\XBZhuKLRmzrBA.exe

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XBZhuKLRmzrBA" /XML "C:\Users\test22\AppData\Local\Temp\tmpCCF8.tmp"
cmdline	schtasks.exe /Create /TN "Updates\XBZhuKLRmzrBA" /XML "C:\Users\test22\AppData\Local\Temp\tmpCCF8.tmp"

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\XBZhuKLRmzrBA.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW April 15, 2021, 9:37 a.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\XBZhuKLRmzrBA" /XML "C:\Users\test22\AppData\Local\Temp\tmpCCF8.tmp" filepath: schtasks.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000b8600', u'virtual_address': u'0x00002000', u'entropy': 7.9208419658300775, u'name': u'.text', u'virtual_size': u'0x000b855c'}

entropy

7.92084196583

description

A section with a high entropy has been found

entropy

0.817627494457

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 15, 2021, 9:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Terminates another process (10 events)

Time & API	Arguments	Status
NtTerminateProcess April 15, 2021, 9:37 a.m.	status_code: 0xffffffff process_identifier: 4848 process_handle: 0x000003a0
NtTerminateProcess April 15, 2021, 9:37 a.m.	status_code: 0xffffffff process_identifier: 4848 process_handle: 0x000003a0	1
NtTerminateProcess April 15, 2021, 9:37 a.m.	status_code: 0xffffffff process_identifier: 5256 process_handle: 0x000003e0
NtTerminateProcess April 15, 2021, 9:37 a.m.	status_code: 0xffffffff process_identifier: 5256 process_handle: 0x000003e0	1
NtTerminateProcess April 15, 2021, 9:37 a.m.	status_code: 0xffffffff process_identifier: 3916 process_handle: 0x000003e4
NtTerminateProcess April 15, 2021, 9:37 a.m.	status_code: 0xffffffff process_identifier: 3916 process_handle: 0x000003e4	1
NtTerminateProcess April 15, 2021, 9:37 a.m.	status_code: 0xffffffff process_identifier: 1608 process_handle: 0x000003ec
NtTerminateProcess April 15, 2021, 9:37 a.m.	status_code: 0xffffffff process_identifier: 1608 process_handle: 0x000003ec	1
NtTerminateProcess April 15, 2021, 9:37 a.m.	status_code: 0xffffffff process_identifier: 5168 process_handle: 0x000003f4
NtTerminateProcess April 15, 2021, 9:37 a.m.	status_code: 0xffffffff process_identifier: 5168 process_handle: 0x000003f4	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XBZhuKLRmzrBA" /XML "C:\Users\test22\AppData\Local\Temp\tmpCCF8.tmp"
cmdline	schtasks.exe /Create /TN "Updates\XBZhuKLRmzrBA" /XML "C:\Users\test22\AppData\Local\Temp\tmpCCF8.tmp"

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Allocates execute permission to another process indicative of possible code injection (5 events)

Time & API	Arguments	Return
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 4848 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000398	3221225496
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 5256 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000390	3221225496
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 3916 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003d8	3221225496
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 1608 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003cc	3221225496
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 5168 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003e8	3221225496

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\tmpCCF8.tmp

Manipulates memory of a non-child process indicative of process injection (10 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 7948 manipulating memory of non-child process 4848
Process injection	Process 7948 manipulating memory of non-child process 5256
Process injection	Process 7948 manipulating memory of non-child process 3916
Process injection	Process 7948 manipulating memory of non-child process 1608
Process injection	Process 7948 manipulating memory of non-child process 5168
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 4848 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000398	3221225496	0
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 5256 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000390	3221225496	0
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 3916 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003d8	3221225496	0
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 1608 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003cc	3221225496	0
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 5168 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003e8	3221225496	0

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.aef6e395b99c7a52
Cylance	Unsafe
Cybereason	malicious.415bcb
BitDefenderTheta	Gen:NN.ZemsilF.34678.4m0@aacgRze
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of MSIL/GenKryptik.FEAX
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan-PSW.MSIL.Stelega.gen
Paloalto	generic.ml
AegisLab	Trojan.Multi.Generic.4!c
Tencent	Win32.Trojan.Inject.Auto
Sophos	Mal/Generic-S
McAfee-GW-Edition	BehavesLike.Win32.Generic.dc
Ikarus	Win32.Outbreak
Microsoft	Trojan:Win32/AgentTesla!ml
Cynet	Malicious (score: 100)
McAfee	Artemis!AEF6E395B99C
Malwarebytes	Malware.AI.1418741313
Rising	Trojan.GenKryptik!8.AA55 (CLOUD)
Yandex	Trojan.AvsArher.bTJEKx
eGambit	Unsafe.AI_Score_99%
AVG	Win32:PWSX-gen [Trj]
CrowdStrike	win/malicious_confidence_90% (W)
Qihoo-360	Win32/TrojanSpy.AgentTesla.HgIASSsA

Executed a process and injected code into it, probably while unpacking (25 events)

Time & API	Arguments	Status	Return
NtResumeThread April 15, 2021, 9:37 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 7948	1	0
NtResumeThread April 15, 2021, 9:37 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 7948	1	0
NtResumeThread April 15, 2021, 9:37 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 7948	1	0
NtResumeThread April 15, 2021, 9:37 a.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 7948	1	0
NtGetContextThread April 15, 2021, 9:37 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread April 15, 2021, 9:37 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread April 15, 2021, 9:37 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 7948	1	0
NtGetContextThread April 15, 2021, 9:37 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread April 15, 2021, 9:37 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 7948	1	0
CreateProcessInternalW April 15, 2021, 9:37 a.m.	thread_identifier: 6420 thread_handle: 0x000003d8 process_identifier: 2120 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XBZhuKLRmzrBA" /XML "C:\Users\test22\AppData\Local\Temp\tmpCCF8.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003e0	1	1
CreateProcessInternalW April 15, 2021, 9:37 a.m.	thread_identifier: 668 thread_handle: 0x0000039c process_identifier: 4848 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\KL7MR6mZz2acpSc.exe track: 1 command_line: "{path}" filepath_r: C:\Users\test22\AppData\Local\Temp\KL7MR6mZz2acpSc.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000398	1	1
NtGetContextThread April 15, 2021, 9:37 a.m.	thread_handle: 0x0000039c	1	0
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 4848 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000398		3221225496
CreateProcessInternalW April 15, 2021, 9:37 a.m.	thread_identifier: 5752 thread_handle: 0x000003a0 process_identifier: 5256 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\KL7MR6mZz2acpSc.exe track: 1 command_line: "{path}" filepath_r: C:\Users\test22\AppData\Local\Temp\KL7MR6mZz2acpSc.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000390	1	1
NtGetContextThread April 15, 2021, 9:37 a.m.	thread_handle: 0x000003a0	1	0
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 5256 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000390		3221225496
CreateProcessInternalW April 15, 2021, 9:37 a.m.	thread_identifier: 4772 thread_handle: 0x000003e0 process_identifier: 3916 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\KL7MR6mZz2acpSc.exe track: 1 command_line: "{path}" filepath_r: C:\Users\test22\AppData\Local\Temp\KL7MR6mZz2acpSc.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003d8	1	1
NtGetContextThread April 15, 2021, 9:37 a.m.	thread_handle: 0x000003e0	1	0
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 3916 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003d8		3221225496
CreateProcessInternalW April 15, 2021, 9:37 a.m.	thread_identifier: 8772 thread_handle: 0x000003e4 process_identifier: 1608 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\KL7MR6mZz2acpSc.exe track: 1 command_line: "{path}" filepath_r: C:\Users\test22\AppData\Local\Temp\KL7MR6mZz2acpSc.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003cc	1	1
NtGetContextThread April 15, 2021, 9:37 a.m.	thread_handle: 0x000003e4	1	0
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 1608 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003cc		3221225496
CreateProcessInternalW April 15, 2021, 9:37 a.m.	thread_identifier: 8408 thread_handle: 0x000003ec process_identifier: 5168 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\KL7MR6mZz2acpSc.exe track: 1 command_line: "{path}" filepath_r: C:\Users\test22\AppData\Local\Temp\KL7MR6mZz2acpSc.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003e8	1	1
NtGetContextThread April 15, 2021, 9:37 a.m.	thread_handle: 0x000003ec	1	0
NtAllocateVirtualMemory April 15, 2021, 9:37 a.m.	process_identifier: 5168 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003e8		3221225496

KL7MR6mZz2acpSc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All