Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 26, 2021, 10:18 a.m.	June 26, 2021, 10:20 a.m.

Size	1.4MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`fe72d7132c74d81c98dbd31543a00529`
SHA256	`59c0a91faf884e242be0d2384d94eba2536a8f155ae568355eed225f2543176e`
CRC32	`5F31DB0E`
ssdeep	`12288:yZt6QhCWK5JFyVRxWFFxz6oz28hZECIHXGc4YHeqho3yJp8/j6q31J9rWqDBbGFb:yJcJAf0FFA7n3b4Y+qwKn7r`
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Malicious_Packer_Zero - Malicious Packer Is_DotNET_EXE - (no description) Generic_Malware_Zero - Generic Malware IsPE32 - (no description) PE_Header_Zero - PE File Signature

tasksmgr.exe "C:\Users\test22\AppData\Local\Temp\tasksmgr.exe"
8024
- schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LAAbUwaLj" /XML "C:\Users\test22\AppData\Local\Temp\tmp7CA6.tmp"
  8548
- tasksmgr.exe "{path}"
  5888
  - update.exe "C:\Users\test22\AppData\Roaming\update.exe"
    2196
    - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LAAbUwaLj" /XML "C:\Users\test22\AppData\Local\Temp\tmp37F7.tmp"
      3944
    - update.exe "{path}"
      7608
      - attrib.exe attrib +h +r +s "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
        5932
      - attrib.exe attrib +h +r +s "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
        5512
  - attrib.exe attrib +h +r +s "C:\Users\test22\AppData\Roaming\update.exe"
    6080
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
sandshoe.myfirewall.org	A 45.133.1.67	45.133.1.67

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
45.133.1.67	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:57660 -> 164.124.101.2:53	2032792	ET INFO Observed DNS Query to DDNS Domain .myfirewall .org	Potentially Bad Traffic
TCP 192.168.56.102:49820 -> 45.133.1.67:5252	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 26, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 26, 2021, 10:20 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 26, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 26, 2021, 10:20 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 137 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0
IsDebuggerPresent June 26, 2021, 10:18 a.m.			0	0

Command line console output was observed (9 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 26, 2021, 10:19 a.m.	buffer: SUCCESS: The scheduled task "Updates\LAAbUwaLj" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW June 26, 2021, 10:19 a.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW June 26, 2021, 10:19 a.m.	buffer: Cannot create a file when that file already exists. console_handle: 0x0000000b	1	1
WriteConsoleW June 26, 2021, 10:20 a.m.	buffer: File not found - C:\Users\test22\AppData console_handle: 0x00000013	1	1
WriteConsoleW June 26, 2021, 10:20 a.m.	buffer: \Roaming\Microsoft\Windows\Start Menu\Pr console_handle: 0x00000013	1	1
WriteConsoleW June 26, 2021, 10:20 a.m.	buffer: ograms\Startup\Windows.exe console_handle: 0x00000013	1	1
WriteConsoleW June 26, 2021, 10:20 a.m.	buffer: File not found - C:\Users\test22\AppData console_handle: 0x00000013	1	1
WriteConsoleW June 26, 2021, 10:20 a.m.	buffer: \Roaming\Microsoft\Windows\Templates\Win console_handle: 0x00000013	1	1
WriteConsoleW June 26, 2021, 10:20 a.m.	buffer: dows.exe console_handle: 0x00000013	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 26, 2021, 10:18 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 26, 2021, 10:20 a.m.	stacktrace: 0x6d1ee4 0x6d1aee 0x6d1907 mscorlib+0x30c9ff @ 0x64ebc9ff mscorlib+0x302367 @ 0x64eb2367 mscorlib+0x3022a6 @ 0x64eb22a6 mscorlib+0x302261 @ 0x64eb2261 mscorlib+0x30ca7c @ 0x64ebca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6f512e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x6f5a07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x6f577d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x6f577dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x6f577e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x6f50c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x6f5a0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x6f61a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 04 e3 74 64 8b c8 e8 5c 45 29 6f 8b f0 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6d27a1 registers.esp: 89583884 registers.edi: 38535180 registers.eax: 38474280 registers.ebp: 89583920 registers.edx: 38535180 registers.ebx: 38532016 registers.esi: 0 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 26, 2021, 10:20 a.m.

stacktrace:

0x6d1ee4
0x6d1aee
0x6d1907
mscorlib+0x30c9ff @ 0x64ebc9ff
mscorlib+0x302367 @ 0x64eb2367
mscorlib+0x3022a6 @ 0x64eb22a6
mscorlib+0x302261 @ 0x64eb2261
mscorlib+0x30ca7c @ 0x64ebca7c
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6f512e95
DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x6f5a07d8
LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x6f577d4d
LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x6f577dbb
LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x6f577e88
DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x6f50c3bf
DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x6f5a0694
DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x6f61a0cf
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 39 09 e8 04 e3 74 64 8b c8 e8 5c 45 29 6f 8b f0
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x6d27a1
registers.esp: 89583884
registers.edi: 38535180
registers.eax: 38474280
registers.ebp: 89583920
registers.edx: 38535180
registers.ebx: 38532016
registers.esi: 0
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 202 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00750000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00462000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00671000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00672000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00673000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00674000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00675000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00676000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00497000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010ac000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010ac000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f50000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f50000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f50000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f52000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0102d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0102d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0102d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0102d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0102d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0102d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0102d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0102d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0102d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0102d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0102d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0102d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0102d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0102d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0102d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0102d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0102d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0102d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0102d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0102d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0102d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0102d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0102d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0102d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0102d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2021, 10:18 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0102d000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (4 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
file	C:\Users\test22\AppData\Roaming\update.exe
file	C:\Users\test22\AppData\Roaming\LAAbUwaLj.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Creates a shortcut to an executable file (4 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk

Creates a suspicious process (4 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LAAbUwaLj" /XML "C:\Users\test22\AppData\Local\Temp\tmp37F7.tmp"
cmdline	schtasks.exe /Create /TN "Updates\LAAbUwaLj" /XML "C:\Users\test22\AppData\Local\Temp\tmp37F7.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LAAbUwaLj" /XML "C:\Users\test22\AppData\Local\Temp\tmp7CA6.tmp"
cmdline	schtasks.exe /Create /TN "Updates\LAAbUwaLj" /XML "C:\Users\test22\AppData\Local\Temp\tmp7CA6.tmp"

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\update.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\update.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 26, 2021, 10:19 a.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\LAAbUwaLj" /XML "C:\Users\test22\AppData\Local\Temp\tmp7CA6.tmp" filepath: schtasks.exe	1	1	0
ShellExecuteExW June 26, 2021, 10:19 a.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\LAAbUwaLj" /XML "C:\Users\test22\AppData\Local\Temp\tmp37F7.tmp" filepath: schtasks.exe	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (5 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW June 26, 2021, 10:18 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 26, 2021, 10:20 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 26, 2021, 10:20 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 26, 2021, 10:19 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 26, 2021, 10:20 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (16 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (7 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LAAbUwaLj" /XML "C:\Users\test22\AppData\Local\Temp\tmp37F7.tmp"
cmdline	schtasks.exe /Create /TN "Updates\LAAbUwaLj" /XML "C:\Users\test22\AppData\Local\Temp\tmp37F7.tmp"
cmdline	attrib +h +r +s "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LAAbUwaLj" /XML "C:\Users\test22\AppData\Local\Temp\tmp7CA6.tmp"
cmdline	attrib +h +r +s "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
cmdline	schtasks.exe /Create /TN "Updates\LAAbUwaLj" /XML "C:\Users\test22\AppData\Local\Temp\tmp7CA6.tmp"
cmdline	attrib +h +r +s "C:\Users\test22\AppData\Roaming\update.exe"

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 26, 2021, 10:19 a.m.	process_identifier: 5888 region_size: 57344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002dc	1	0	0
NtAllocateVirtualMemory June 26, 2021, 10:19 a.m.	process_identifier: 7608 region_size: 57344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003c4	1	0	0

Installs itself for autorun at Windows startup (50 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows2	reg_value	C:\Users\test22\AppData\Roaming\update.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows2	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows	reg_value	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Potential code injection by writing to the memory of another process (8 events)

Time & API	Arguments	Status	Return
WriteProcessMemory June 26, 2021, 10:19 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELøÊ`àd @ à@@K @À H.textc d `.rsrc@ f@@.relocÀj@B base_address: 0x00400000 process_identifier: 5888 process_handle: 0x000002dc	1	1
WriteProcessMemory June 26, 2021, 10:19 a.m.	buffer: 0HX çä<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x0040a000 process_identifier: 5888 process_handle: 0x000002dc	1	1
WriteProcessMemory June 26, 2021, 10:19 a.m.	buffer: 3 base_address: 0x0040c000 process_identifier: 5888 process_handle: 0x000002dc	1	1
WriteProcessMemory June 26, 2021, 10:19 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 5888 process_handle: 0x000002dc	1	1
WriteProcessMemory June 26, 2021, 10:19 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELøÊ`àd @ à@@K @À H.textc d `.rsrc@ f@@.relocÀj@B base_address: 0x00400000 process_identifier: 7608 process_handle: 0x000003c4	1	1
WriteProcessMemory June 26, 2021, 10:19 a.m.	buffer: 0HX çä<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x0040a000 process_identifier: 7608 process_handle: 0x000003c4	1	1
WriteProcessMemory June 26, 2021, 10:19 a.m.	buffer: 3 base_address: 0x0040c000 process_identifier: 7608 process_handle: 0x000003c4	1	1
WriteProcessMemory June 26, 2021, 10:19 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 7608 process_handle: 0x000003c4	1	1

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 26, 2021, 10:19 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELøÊ`àd @ à@@K @À H.textc d `.rsrc@ f@@.relocÀj@B base_address: 0x00400000 process_identifier: 5888 process_handle: 0x000002dc	1	1	0
WriteProcessMemory June 26, 2021, 10:19 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELøÊ`àd @ à@@K @À H.textc d `.rsrc@ f@@.relocÀj@B base_address: 0x00400000 process_identifier: 7608 process_handle: 0x000003c4	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 8024 called NtSetContextThread to modify thread in remote process 5888
Process injection	Process 2196 called NtSetContextThread to modify thread in remote process 7608
NtSetContextThread June 26, 2021, 10:19 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4227982 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003ec process_identifier: 5888	1	0	0
NtSetContextThread June 26, 2021, 10:19 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4227982 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003c8 process_identifier: 7608	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 8024 resumed a thread in remote process 5888
Process injection	Process 2196 resumed a thread in remote process 7608
NtResumeThread June 26, 2021, 10:19 a.m.	thread_handle: 0x000003ec suspend_count: 1 process_identifier: 5888	1	0	0
NtResumeThread June 26, 2021, 10:19 a.m.	thread_handle: 0x000003c8 suspend_count: 1 process_identifier: 7608	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 52 events)

Time & API	Arguments	Status	Return
NtResumeThread June 26, 2021, 10:18 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 8024	1	0
NtResumeThread June 26, 2021, 10:18 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 8024	1	0
NtResumeThread June 26, 2021, 10:18 a.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 8024	1	0
NtResumeThread June 26, 2021, 10:18 a.m.	thread_handle: 0x00000204 suspend_count: 1 process_identifier: 8024	1	0
NtGetContextThread June 26, 2021, 10:18 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread June 26, 2021, 10:18 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread June 26, 2021, 10:18 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 8024	1	0
NtGetContextThread June 26, 2021, 10:18 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread June 26, 2021, 10:18 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread June 26, 2021, 10:18 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 8024	1	0
NtResumeThread June 26, 2021, 10:18 a.m.	thread_handle: 0x00000270 suspend_count: 1 process_identifier: 8024	1	0
NtResumeThread June 26, 2021, 10:18 a.m.	thread_handle: 0x00000290 suspend_count: 1 process_identifier: 8024	1	0
NtResumeThread June 26, 2021, 10:19 a.m.	thread_handle: 0x00000304 suspend_count: 1 process_identifier: 8024	1	0
CreateProcessInternalW June 26, 2021, 10:19 a.m.	thread_identifier: 4980 thread_handle: 0x0000042c process_identifier: 8548 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LAAbUwaLj" /XML "C:\Users\test22\AppData\Local\Temp\tmp7CA6.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000434	1	1
CreateProcessInternalW June 26, 2021, 10:19 a.m.	thread_identifier: 5332 thread_handle: 0x000003ec process_identifier: 5888 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\tasksmgr.exe track: 1 command_line: "{path}" filepath_r: C:\Users\test22\AppData\Local\Temp\tasksmgr.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002dc	1	1
NtGetContextThread June 26, 2021, 10:19 a.m.	thread_handle: 0x000003ec	1	0
NtAllocateVirtualMemory June 26, 2021, 10:19 a.m.	process_identifier: 5888 region_size: 57344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002dc	1	0
WriteProcessMemory June 26, 2021, 10:19 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELøÊ`àd @ à@@K @À H.textc d `.rsrc@ f@@.relocÀj@B base_address: 0x00400000 process_identifier: 5888 process_handle: 0x000002dc	1	1
WriteProcessMemory June 26, 2021, 10:19 a.m.	buffer: base_address: 0x00402000 process_identifier: 5888 process_handle: 0x000002dc	1	1
WriteProcessMemory June 26, 2021, 10:19 a.m.	buffer: 0HX çä<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x0040a000 process_identifier: 5888 process_handle: 0x000002dc	1	1
WriteProcessMemory June 26, 2021, 10:19 a.m.	buffer: 3 base_address: 0x0040c000 process_identifier: 5888 process_handle: 0x000002dc	1	1
WriteProcessMemory June 26, 2021, 10:19 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 5888 process_handle: 0x000002dc	1	1
NtSetContextThread June 26, 2021, 10:19 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4227982 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003ec process_identifier: 5888	1	0
NtResumeThread June 26, 2021, 10:19 a.m.	thread_handle: 0x000003ec suspend_count: 1 process_identifier: 5888	1	0
NtResumeThread June 26, 2021, 10:19 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 5888	1	0
NtResumeThread June 26, 2021, 10:19 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 5888	1	0
NtResumeThread June 26, 2021, 10:19 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 5888	1	0
CreateProcessInternalW June 26, 2021, 10:19 a.m.	thread_identifier: 5168 thread_handle: 0x000003d8 process_identifier: 2196 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\update.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\update.exe" filepath_r: C:\Users\test22\AppData\Roaming\update.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003e0	1	1
CreateProcessInternalW June 26, 2021, 10:19 a.m.	thread_identifier: 6444 thread_handle: 0x00000384 process_identifier: 6080 current_directory: filepath: track: 1 command_line: attrib +h +r +s "C:\Users\test22\AppData\Roaming\update.exe" filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000380	1	1
NtResumeThread June 26, 2021, 10:19 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2196	1	0
NtResumeThread June 26, 2021, 10:19 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2196	1	0
NtResumeThread June 26, 2021, 10:19 a.m.	thread_handle: 0x000001c4 suspend_count: 1 process_identifier: 2196	1	0
NtResumeThread June 26, 2021, 10:19 a.m.	thread_handle: 0x000001e0 suspend_count: 1 process_identifier: 2196	1	0
NtResumeThread June 26, 2021, 10:19 a.m.	thread_handle: 0x0000026c suspend_count: 1 process_identifier: 2196	1	0
NtResumeThread June 26, 2021, 10:19 a.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 2196	1	0
CreateProcessInternalW June 26, 2021, 10:19 a.m.	thread_identifier: 7304 thread_handle: 0x00000408 process_identifier: 3944 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LAAbUwaLj" /XML "C:\Users\test22\AppData\Local\Temp\tmp37F7.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000410	1	1
CreateProcessInternalW June 26, 2021, 10:19 a.m.	thread_identifier: 2428 thread_handle: 0x000003c8 process_identifier: 7608 current_directory: filepath: C:\Users\test22\AppData\Roaming\update.exe track: 1 command_line: "{path}" filepath_r: C:\Users\test22\AppData\Roaming\update.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003c4	1	1
NtGetContextThread June 26, 2021, 10:19 a.m.	thread_handle: 0x000003c8	1	0
NtAllocateVirtualMemory June 26, 2021, 10:19 a.m.	process_identifier: 7608 region_size: 57344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003c4	1	0
WriteProcessMemory June 26, 2021, 10:19 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELøÊ`àd @ à@@K @À H.textc d `.rsrc@ f@@.relocÀj@B base_address: 0x00400000 process_identifier: 7608 process_handle: 0x000003c4	1	1
WriteProcessMemory June 26, 2021, 10:19 a.m.	buffer: base_address: 0x00402000 process_identifier: 7608 process_handle: 0x000003c4	1	1
WriteProcessMemory June 26, 2021, 10:19 a.m.	buffer: 0HX çä<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x0040a000 process_identifier: 7608 process_handle: 0x000003c4	1	1
WriteProcessMemory June 26, 2021, 10:19 a.m.	buffer: 3 base_address: 0x0040c000 process_identifier: 7608 process_handle: 0x000003c4	1	1
WriteProcessMemory June 26, 2021, 10:19 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 7608 process_handle: 0x000003c4	1	1
NtSetContextThread June 26, 2021, 10:19 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4227982 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003c8 process_identifier: 7608	1	0
NtResumeThread June 26, 2021, 10:19 a.m.	thread_handle: 0x000003c8 suspend_count: 1 process_identifier: 7608	1	0
NtResumeThread June 26, 2021, 10:19 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 7608	1	0
NtResumeThread June 26, 2021, 10:19 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 7608	1	0
NtResumeThread June 26, 2021, 10:19 a.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 7608	1	0
CreateProcessInternalW June 26, 2021, 10:20 a.m.	thread_identifier: 5988 thread_handle: 0x00000328 process_identifier: 5932 current_directory: filepath: track: 1 command_line: attrib +h +r +s "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe" filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000032c	1	1

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

Elastic	malicious (high confidence)
McAfee	Artemis!FE72D7132C74
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0057e8491 )
Alibaba	Trojan:Win32/starter.ali1000139
K7GW	Trojan ( 0057e8491 )
Cyren	W32/MSIL_Troj.BDE.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik.ABQL
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	HEUR:Trojan-Spy.MSIL.Noon.gen
Paloalto	generic.ml
McAfee-GW-Edition	BehavesLike.Win32.Generic.th
FireEye	Generic.mg.fe72d7132c74d81c
Sophos	Mal/Generic-S
Webroot	W32.Trojan.Gen
eGambit	Unsafe.AI_Score_57%
Microsoft	Trojan:Win32/AgentTesla!ml
GData	MSIL.Malware.Injector.HFU060
Cynet	Malicious (score: 100)
VBA32	CIL.HeapOverride.Heur
Malwarebytes	Trojan.Crypt.MSIL
TrendMicro-HouseCall	TROJ_GEN.R002H0CFP21
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.ABHB!tr
BitDefenderTheta	Gen:NN.ZemsilF.34758.wn0@aWyfgcg
AVG	Win32:MalwareX-gen [Trj]
CrowdStrike	win/malicious_confidence_70% (W)

tasksmgr.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All