Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 15, 2021, 10:28 a.m.	June 15, 2021, 10:39 a.m.

Size	840.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`285cc0e41ca87f5eb2a6d08680a0f94b`
SHA256	`7fe8fc25255d0fbe221579b985327bb67bb1226f39dfc71b8b59e6a2b15fff11`
CRC32	`F074A5A3`
ssdeep	`12288:I9pjeQ1aTLMc3TdK8LmgI/RfAQiq1X1cqJ5cEuK6jIbHSGhXH9VCZ6v:I2QETLMKTdcgKfbJX15u/XGhj`
PDB Path	C:\Users\Administrator\Desktop\Client\Temp\iCbdQtFLAg\src\obj\Debug\EventCacheKeyEqualityComparer.pdb
Yara	PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals Is_DotNET_EXE - (no description) IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library

bin.exe "C:\Users\test22\AppData\Local\Temp\bin.exe"
2088
- bin.exe "C:\Users\test22\AppData\Local\Temp\bin.exe"
  2776

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 15, 2021, 10:28 a.m.			0	0
IsDebuggerPresent June 15, 2021, 10:28 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey June 15, 2021, 10:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00436c80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2021, 10:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00436580 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2021, 10:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00436580 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

C:\Users\Administrator\Desktop\Client\Temp\iCbdQtFLAg\src\obj\Debug\EventCacheKeyEqualityComparer.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 15, 2021, 10:28 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 79 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory June 15, 2021, 10:28 a.m.	process_identifier: 2088 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00890000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 15, 2021, 10:28 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 15, 2021, 10:28 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 15, 2021, 10:28 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 15, 2021, 10:28 a.m.	process_identifier: 2088 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02350000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 15, 2021, 10:28 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02500000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 15, 2021, 10:28 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00512000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 15, 2021, 10:28 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00545000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 15, 2021, 10:28 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 15, 2021, 10:28 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 15, 2021, 10:28 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 15, 2021, 10:28 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 15, 2021, 10:28 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 15, 2021, 10:28 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 15, 2021, 10:28 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00537000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 15, 2021, 10:28 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 15, 2021, 10:28 a.m.	process_identifier: 2088 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 15, 2021, 10:28 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 15, 2021, 10:28 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 15, 2021, 10:28 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 15, 2021, 10:28 a.m.	process_identifier: 2088 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 15, 2021, 10:28 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 15, 2021, 10:28 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 15, 2021, 10:29 a.m.	process_identifier: 2088 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 15, 2021, 10:29 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dde2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 15, 2021, 10:29 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a48000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 15, 2021, 10:29 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 15, 2021, 10:29 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a49000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 15, 2021, 10:29 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a4a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 15, 2021, 10:29 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a4b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 15, 2021, 10:29 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a4c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 15, 2021, 10:29 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a4d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 15, 2021, 10:29 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a4e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 15, 2021, 10:29 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 15, 2021, 10:29 a.m.	process_identifier: 2088 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 15, 2021, 10:29 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05100178 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 15, 2021, 10:29 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051001a0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 15, 2021, 10:29 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051001c8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 15, 2021, 10:29 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0518b81e process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 15, 2021, 10:29 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0518b812 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 15, 2021, 10:29 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 72 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05100208 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 15, 2021, 10:29 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051650e8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 15, 2021, 10:29 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0516510c process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 15, 2021, 10:29 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05165114 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 15, 2021, 10:29 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05165118 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 15, 2021, 10:29 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05165120 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 15, 2021, 10:29 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05165124 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 15, 2021, 10:29 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05165128 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 15, 2021, 10:29 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0516512c process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 15, 2021, 10:29 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05165134 process_handle: 0xffffffff		3221225550

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000d1400', u'virtual_address': u'0x00002000', u'entropy': 7.73423110687334, u'name': u'.text', u'virtual_size': u'0x000d13b0'}

entropy

7.73423110687

description

A section with a high entropy has been found

entropy

0.997022036927

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 15, 2021, 10:39 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 15, 2021, 10:29 a.m.	process_identifier: 2776 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 15, 2021, 10:29 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELu=à pðÏ@@.text op ` base_address: 0x00400000 process_identifier: 2776 process_handle: 0x000002a4	1	1	0
WriteProcessMemory June 15, 2021, 10:29 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2776 process_handle: 0x000002a4	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 15, 2021, 10:29 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELu=à pðÏ@@.text op ` base_address: 0x00400000 process_identifier: 2776 process_handle: 0x000002a4	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2088 called NtSetContextThread to modify thread in remote process 2776
NtSetContextThread June 15, 2021, 10:29 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4313072 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002a0 process_identifier: 2776	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2088 resumed a thread in remote process 2776
NtResumeThread June 15, 2021, 10:29 a.m.	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 2776	1	0	0

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

McAfee	RDN/Generic BackDoor
Cylance	Unsafe
AegisLab	Trojan.MSIL.Taskun.4!c
Alibaba	Trojan:Win32/Kryptik.ali2000016
K7GW	Trojan ( 0057e0591 )
Cyren	W32/MSIL_Kryptik.ENH.gen!Eldorado
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of MSIL/Kryptik.ABLO
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
Avast	Win32:PWSX-gen [Trj]
Sophos	Mal/Generic-S
TrendMicro	TrojanSpy.MSIL.NEGASTEAL.SMG
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	Trojan.Crypt (A)
SentinelOne	Static AI - Suspicious PE
MAX	malware (ai score=99)
Kingsoft	Win32.PSWTroj.Undef.(kcloud)
Microsoft	Backdoor:Win32/Androm.MR!MTB
GData	Win32.Trojan-Stealer.FormBook.42RPZI
Cynet	Malicious (score: 100)
Malwarebytes	MachineLearning/Anomalous.97%
TrendMicro-HouseCall	TrojanSpy.MSIL.NEGASTEAL.SMG
Ikarus	Backdoor.MSIL.Bladabindi
Fortinet	W32/Agensla.ABLO!tr.pws
Webroot	W32.Trojan.Gen
AVG	Win32:PWSX-gen [Trj]

Executed a process and injected code into it, probably while unpacking (12 events)

Time & API	Arguments	Status	Return
NtResumeThread June 15, 2021, 10:28 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2088	1	0
NtResumeThread June 15, 2021, 10:28 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2088	1	0
NtResumeThread June 15, 2021, 10:28 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2088	1	0
NtResumeThread June 15, 2021, 10:29 a.m.	thread_handle: 0x00000258 suspend_count: 1 process_identifier: 2088	1	0
CreateProcessInternalW June 15, 2021, 10:29 a.m.	thread_identifier: 1908 thread_handle: 0x000002a0 process_identifier: 2776 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\bin.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\bin.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002a4	1	1
NtGetContextThread June 15, 2021, 10:29 a.m.	thread_handle: 0x000002a0	1	0
NtAllocateVirtualMemory June 15, 2021, 10:29 a.m.	process_identifier: 2776 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4	1	0
WriteProcessMemory June 15, 2021, 10:29 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELu=à pðÏ@@.text op ` base_address: 0x00400000 process_identifier: 2776 process_handle: 0x000002a4	1	1
WriteProcessMemory June 15, 2021, 10:29 a.m.	buffer: base_address: 0x00401000 process_identifier: 2776 process_handle: 0x000002a4	1	1
WriteProcessMemory June 15, 2021, 10:29 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2776 process_handle: 0x000002a4	1	1
NtSetContextThread June 15, 2021, 10:29 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4313072 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002a0 process_identifier: 2776	1	0
NtResumeThread June 15, 2021, 10:29 a.m.	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 2776	1	0

bin.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All